[9.171][BUG]Own cert for error pages: CSS missing

I changed the cert for the user error pages to an own cert (Web Filtering -> Filtering Options -> Misc -> Certificate for End-User Pages).
It is a free StartCom certificate.
The cn of this cert is: "utm.mydomain.com" (matches the UTM host name).

I also imported the StartCom CA and Internediate CA into my UTM (HTTPS CAs).

Now when the user gets an error page displayed, neither the CSS design nor the logo are loaded.
The URLs to these files point to "passtrough.utm.mydomain.com", which wasn't resolved by my internal DNS server. So I created a DNS record pointing "passthrough.utm.mydomain.com" to my UTM's internal IP.
But still the CSS and picture files don't load.

When I try to call "passthrough.utm.mydomain.com/static/default.css" directly in my browser, I get a 403 Forbidden error.

Bug or have I done/understood something wrong?

Parents

0 Michael Dunn over 11 years ago

The intention was that customers who already owned a certificate for their and had it trusted (usually because it was officially signed) would be able to use it in the UTM and therefore not need to install a CA on every computer.  Unfortunately it turns out that even if we use this certificate for passthrough the CA is still needed in many locations.  We hoped it would fix several problems, but it is only a complete solution in one of them.

Therefore this feature is a work in progress, I don't think the 9.170 build will be the final functionality.  And so far, we have no documentation.

In general what you have done is correct.  The StartCom certificate would have to be trusted by the computer you are accessing from.

The certificate should be created for passthrough.utm.mydomain.com as either a Common Name or it needs to be wildcard *.utm.mydomain.com.  I believe it also allows for a Subject Altername Name.  The wildcard and SAN are not tested yet.

passthrough.utm.mydomain.com needs to be DNS resolvable.  If you are using Transparent Mode and you use the UTM as your DNS server you don't need to do anything.  If you have your own DNS server you need to configure it there.  If you are using Standard Mode I think you don't need to do any DNS.

Browsing to the following two sites should work
http://passthrough.utm.mydomain.com/static/default.css
https://passthrough.utm.mydomain.com/static/default.css

If you get a certificate error - make sure that the StartCom certificate is trusted by the computer you are accessing from.

If it doesn't work, try the raw IP to make sure you don't have a resolving issue
http://1.2.3.4/static/default.css

If you still have trouble, please post the http.log
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Michael Dunn over 11 years ago

The intention was that customers who already owned a certificate for their and had it trusted (usually because it was officially signed) would be able to use it in the UTM and therefore not need to install a CA on every computer.  Unfortunately it turns out that even if we use this certificate for passthrough the CA is still needed in many locations.  We hoped it would fix several problems, but it is only a complete solution in one of them.

Therefore this feature is a work in progress, I don't think the 9.170 build will be the final functionality.  And so far, we have no documentation.

In general what you have done is correct.  The StartCom certificate would have to be trusted by the computer you are accessing from.

The certificate should be created for passthrough.utm.mydomain.com as either a Common Name or it needs to be wildcard *.utm.mydomain.com.  I believe it also allows for a Subject Altername Name.  The wildcard and SAN are not tested yet.

passthrough.utm.mydomain.com needs to be DNS resolvable.  If you are using Transparent Mode and you use the UTM as your DNS server you don't need to do anything.  If you have your own DNS server you need to configure it there.  If you are using Standard Mode I think you don't need to do any DNS.

Browsing to the following two sites should work
http://passthrough.utm.mydomain.com/static/default.css
https://passthrough.utm.mydomain.com/static/default.css

If you get a certificate error - make sure that the StartCom certificate is trusted by the computer you are accessing from.

If it doesn't work, try the raw IP to make sure you don't have a resolving issue
http://1.2.3.4/static/default.css

If you still have trouble, please post the http.log
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data