UTM v 9.503-4 certificate problem

Hi, Krešimir, and welcome to the UTM Community!

When you had problems with the SSL VPN, it meant that you had regenerated the wrong CA.  You were in the VPN section instead of Web Protection.

At the top of the 'HTTPS CAs' tab of 'Filtering Options', download the current Signing CA and look at it to determine if it will expire.  If it won't, then you have nothing to do.  If it does, then you will need to regenerate it and distribute the new one to your users.  See section 5A/B of Configuring HTTP/S proxy access with AD SSO for quick suggestions.

Cheers - Bob

Hello,

Signing CA is due to expire on November 25th...

so, I checked and I do have configuration of HTTP/S proxy access setup as per link you posted...

but if I click "Regenerate" for Signing CA, next day (tested!) everything in my LAN works OK, but VPN clients and site-to-site VPN can't connect...

Regenerated certificate has just 1 day lifespan, and is expired next day after regeneration...

Funny thing is, on my laptop (I am one of the last persons to come to company, also laptop is latest in domain) I do have Proxy CA  as:

in Cert. Management of Local computer - in Personal Storage  - My_Company Proxy CA - with expiry 01.01.2038

but

in Cert.Management of Current User - I have two! One in Trusted Root Certificate Authorities  - My_Company Proxy CA - with expiry 25.11.2017

and in Other Persons - also named My_Company Proxy CA - with expiry 01.01.2038 - only difference between those with same name is Friendly name...

and on other PCs there is only in Current user Certificate Management - in Trusted Root Certification Authority - My_Company Proxy CA - with expiry also 25.11.2017.

So what is to be done, as Regenerate creates havoc next day with VPN?

Sorry for lenghty post...

In 'Remote Access >> Certificate Management' and 'Site to Site >> Certificate Management', you can regenerate the VPN Signing CA on the 'Advanced' tab - you don't want that.

You want the 'HTTPS CAs' tab of 'Web Protection >> Filtering Options'.  Regenerating the Proxy CA does not change the 'Local X509 Cert' that is used for SSL VPN or anything else in the VPNs.

Cheers - Bob

Hello Bob,

thanks for quick replies...

however, I am certain I clicked "Regenerate"  for Signing CA in "Web Protection/Filtering Options/ HTTPS CAs"...

and nothing, no feedback info is given on that...

and tommorrow all hell broke lose with VPN ?!?!...

so I restored UTM backup, and now is everything OK except certificate expiry....

again, I did that, I can try again but how to propagate "new" certificate around?

Best regards,

Kresimir

Krešimir, you ca confirm that the CAs are unrelated.  At the command line as root, find the REF_ for the certificate used by the SSL VPN:

cc get ssl_vpn 'certificate'

That will give you something like REF_CaHosLocalX509Cert, and you can see the REF_ for the CA for that certificate with:

cc get_object REF_CaHosLocalX509Cert|grep ca

Now, to see which CA is used for HTTPS in Web Filtering:

cc get ca ca_proxies

The result should be a different REF_ than for the CA for the SSL VPN certificate.

You said, "I can try again but how to propagate "new" certificate around?"

See section 5A/B of Configuring HTTP/S proxy access with AD SSO for quick suggestions.

Cheers - Bob

Hi,

Sophos Support tweeted this yesterday:

Advisory: Regenerating the Web Proxy CA on UTM 9.5 causes certificate based VPN connections to fail. Please do not regenerate the CA.^sg

If you have done this. Please read our KB article for available workaround:

https://community.sophos.com/kb/en-us/127759

Thanks, Kay.  I was just about to recommend to my clients that they Up2date from 9.413 to 9.505.  I'll wait for this to be worked out.

Cheers - Bob

Hello,

thanks for support...

as I wrote before, after clicking "Regenerate", and whole pandemonium after that, I restored configuration and now wait for November 25th :-)

Please do notify me when this update will be available, and if there will be any new procedure for regenerating CA's...

Best regards,

Kresimir

Hello,

I updated UTM to latest FW: 9.505-4

restarted it, made backup.

Done testing:

on my private PC, with NO company certificates in certificate stores, started Sophos SSL VPN Client (it has two certificates under iconfig folder in C:\Program Files..., named after my remote site, and description is Company_Name VPN CA - those are only two certificates fom my company, but they are not in certificate store)

VPN works fine..

OK, so I logged in to UTM - Web Protection - Filtering Options - HTTPS CAs -under Signing CA, downloaded certificate, checked it expires on November 25th.

I clicked "Regenerate" button, confirmed all fields are OK (even set old administrators e-mail address from IT who worked before me, tried both my, new address, and his)

restarted UTM, logged in, downloaded regenerated certificate, it is valid from today, November 4th 2017 till Jan 1st 2038...

but now, VPN isn't working, constantly I get errors in SSL VPN Client (pic down)

I strikethrough: 1- public IP address, 2 - Company name, 3- admin e-address (old admin)

What does Signing CA has to do with VPN, as VPN client has its own certificate in installation?

Should I after regenerating Signing CA go to User portal of UTM and download new SL VPN Client package (it is generated for each Remote Access user per se)?

Of course, as I wrote, I made backup, and restored it so I can connect over VPN, but I am running out of time...