Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 8 subscribers
  • Views 25888 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Invalid Certificate Error

Dustin Southard

 Hello,

Recently we have been running in to issues where users are unable to access websites that were previously available to them. The error they are receiving is NET:ERR_CERT_AUTHROITY_INVALID. This started shortly after we upgrade from Chrome 58 to 63. We originally thought the jump in version was to blame, but after rolling back we are still having the same issue. The issue is also present in Internet Explorer. It seems to be flagging random websites such as Facebook, CNN, and other HTTPS enabled sites but it is totally random. Users are reporting the certificate issue in the morning but if they wait for a while it may or not load the page a few minutes later. The sites are not consistent either. Some users have never had the issue and others have it every day. The certificate it is pointing to is the Signing CA under Filtering Options > HTTPS CAs. We are not using decrypt and scan, however the browsers are using our Signing CA as the certificate for valid websites. When the pages finally load they show the proper certificate. We do use a proxy on all of our computers that go through the UTM.

At the request of Sophos tech support we downloaded the certificate from our UTM and pushed it to all users via GPO but that did not make a difference. It is my understanding that we should only need to do that if we are using decrypt and scan. He also has me restart the appliances in an attempt to get them to resynch. I enabled and disabled Decrypt and Scan hoping it might trigger something in the system to stop scanning. This has been going on for over a week and the support tech we are using has not been able to resolve the issue so I was hoping somebody here may have seen and corrected this issue before. 

 

Thanks in advance,

Dustin



This thread was automatically locked due to age.
  • 0 in reply to hgriffith

    As I indicated on Feb 13, you SHOULD distribute your UTM CA Certificate, because it is needed for Block and Warn pages  (anytime an HTTPS site is blocked or warned, even with inspection disabled.

    Apparently your UTM had a memory corruption, which was cleared by the reboot.  Either it tried to block/warn but had a problem with the block/warn page so it displayed the target page anyway, or as you suggested, it thought https inspection was supposed to be on for that site.   Given that you randomness was between display-normal and display-with-CA-cert, the latter probably fits the scenario better.

  • 0 in reply to DouglasFoster

    Understood.  How it operates makes sense and we've known that. However, for us we're willing to have the error on a blocked site because in reality if it's blocked more than likely it's something they shouldn't be visiting.  Given our environment, it works best for us.  Another situation for us is our number of wifi guest networks that pass through our UTMs at all different locations that we want some filtering on.  The option of passing out a CA is not an option at all given the wide array of phones, tablets and BYOD devices hitting the guest networks.

    But thanks to everyone who piped in.  Another reason I use Sophos - the community.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML