Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 7896 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTML5 VPN Portal/WebAdmin Certificate issue.

FlamingBadger

Hi,

There seem to be  a number of threads discussing an issue which I crashed into this morning when attempting to use an SSL certificate purchased from COMODO on my UTM9 appliance.  The issue from what I can see in the forums and from the results of an SSL Labs scan seems to revolve around UTM9 not presenting intermediate certificates to the client browser resulting in said browser marking the certificate as untrusted.  From what I can see, this is a known bug and was supposed to be fixed in 9.3 but from what I can see still has hasn't happened.

If possible, could anyone provide any insight as to whether there is a forthcoming fix?

Previous thread was here:

https://community.sophos.com/products/unified-threat-management/f/51/t/22147#pi394=2

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Iain, and welcome to the UTM Community!

    As you saw in that thread, I'm not having that problem with any of my clients that have a Comodo cert with an intermediate CA.  Assuming that you have the Windows version of OpenSSL installed, cd to that directory and run:

    openssl.exe pkcs12 -export -in -certfile {Comodo Root CA file} -certfile {Comodo Intermediate CA file} sub.domain.com.cer -inkey sub.domain.com.private.key -out sub.domain.com.p12

    Where:

    • sub.domain.com.cer is the certificate file you got from Comodo
    • sub.domain.com.private.key is the private key used to generate your CSR
    • sub.domain.com.p12 is the PKCS#12 that you can upload

    Any luck with that?

    Cheers - Bob

  • 0 in reply to BAlfson

    Hiya Bob,


    Many thanks for the reply.  I was using OpenSSL under Linux but what I did was pretty much the same thing as you outlined above.  It looks like some of my testing was flawed.  I cleared everything out and started again and the certificate works just fine from a modern PC browser point of view - Chrome, Firefox and IE are all good.  It seems to be falling down with Chrome on Android however where the entire trust chain isn't being presented.  The test at SSLlabs also shows the same type of problem - it works but it has to manually go and get the intermediate certificates.


    In summary - all good on the PC which is really the only bit I'm bothered about.  Invalid certificate reported by Android browsers.

    Thanks again!


    IW

Reply
  • 0 in reply to BAlfson

    Hiya Bob,


    Many thanks for the reply.  I was using OpenSSL under Linux but what I did was pretty much the same thing as you outlined above.  It looks like some of my testing was flawed.  I cleared everything out and started again and the certificate works just fine from a modern PC browser point of view - Chrome, Firefox and IE are all good.  It seems to be falling down with Chrome on Android however where the entire trust chain isn't being presented.  The test at SSLlabs also shows the same type of problem - it works but it has to manually go and get the intermediate certificates.


    In summary - all good on the PC which is really the only bit I'm bothered about.  Invalid certificate reported by Android browsers.

    Thanks again!


    IW

Children
  • 0 in reply to FlamingBadger

    Hi,


    Please use the shell to solve the problem.

    In WEB-Interface you can see, that the UTM should use the right certificate. But NOT! UTM uses an different certificate as shown in the WEB-Interface!

    Check the configuration in  /var/sec/chroot-httpd/etc/httpd.

    In case of using intermediate certificates you have to edit the configuration in  /var/sec/chroot-httpd/etc/httpd/vhost/httpd-portal.conf

    SSLCertificateFile /etc/httpd/WebAdminCert.pem
    SSLCertificateKeyFile /etc/httpd/WebAdminKey.pem
    SSLCertificateChainFile /etc/httpd/intermediate1.pem
    SSLCACertificateFile /etc/httpd/intermediate2.pem

    MfG Stefan