Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 18853 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM v 9.503-4 certificate problem

Krešimir Jurić

Hello,

got message from UTM:

1 certificate(s) will expire within the next 30 days:

Proxy CA

 

when I clicked Regenerate button, next day - no SSL VPN client could connect, so I restored backup...

but I do have problem: some users have certificate for Proxy CA expiring on 25.11.2017.

I have "permanent": expiring 01.01.2038.

after backup restore, all clients can connect with SSL VPN client...

but I can't connect on User Management page for users from my LAN to DLoad latest VPN package, all VPN users have Remote Access enabled..

checked link bellow, but as I said - regenerate isn't solving issue at hand...

https://community.sophos.com/products/unified-threat-management/f/general-discussion/93165/proxy-ca-certificate-is-expiring

https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/93319/warning-about-expiring-certs-since-update-to-9-5

https://community.sophos.com/kb/en-us/126962

 

Thanks for any suggestion.

 

KJuric

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi, Krešimir, and welcome to the UTM Community!

    When you had problems with the SSL VPN, it meant that you had regenerated the wrong CA.  You were in the VPN section instead of Web Protection.

    At the top of the 'HTTPS CAs' tab of 'Filtering Options', download the current Signing CA and look at it to determine if it will expire.  If it won't, then you have nothing to do.  If it does, then you will need to regenerate it and distribute the new one to your users.  See section 5A/B of Configuring HTTP/S proxy access with AD SSO for quick suggestions.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello,

    Signing CA is due to expire on November 25th...

    so, I checked and I do have configuration of HTTP/S proxy access setup as per link you posted...

    but if I click "Regenerate" for Signing CA, next day (tested!) everything in my LAN works OK, but VPN clients and site-to-site VPN can't connect...

    Regenerated certificate has just 1 day lifespan, and is expired next day after regeneration...

    Funny thing is, on my laptop (I am one of the last persons to come to company, also laptop is latest in domain) I do have Proxy CA  as:

    in Cert. Management of Local computer - in Personal Storage  - My_Company Proxy CA - with expiry 01.01.2038

    but

    in Cert.Management of Current User - I have two! One in Trusted Root Certificate Authorities  - My_Company Proxy CA - with expiry 25.11.2017

    and in Other Persons - also named My_Company Proxy CA - with expiry 01.01.2038 - only difference between those with same name is Friendly name...

    and on other PCs there is only in Current user Certificate Management - in Trusted Root Certification Authority - My_Company Proxy CA - with expiry also 25.11.2017.

    So what is to be done, as Regenerate creates havoc next day with VPN?

     

    Sorry for lenghty post...

Reply
  • 0 in reply to BAlfson

    Hello,

    Signing CA is due to expire on November 25th...

    so, I checked and I do have configuration of HTTP/S proxy access setup as per link you posted...

    but if I click "Regenerate" for Signing CA, next day (tested!) everything in my LAN works OK, but VPN clients and site-to-site VPN can't connect...

    Regenerated certificate has just 1 day lifespan, and is expired next day after regeneration...

    Funny thing is, on my laptop (I am one of the last persons to come to company, also laptop is latest in domain) I do have Proxy CA  as:

    in Cert. Management of Local computer - in Personal Storage  - My_Company Proxy CA - with expiry 01.01.2038

    but

    in Cert.Management of Current User - I have two! One in Trusted Root Certificate Authorities  - My_Company Proxy CA - with expiry 25.11.2017

    and in Other Persons - also named My_Company Proxy CA - with expiry 01.01.2038 - only difference between those with same name is Friendly name...

    and on other PCs there is only in Current user Certificate Management - in Trusted Root Certification Authority - My_Company Proxy CA - with expiry also 25.11.2017.

    So what is to be done, as Regenerate creates havoc next day with VPN?

     

    Sorry for lenghty post...

Children
  • 0 in reply to Krešimir Jurić

    In 'Remote Access >> Certificate Management' and 'Site to Site >> Certificate Management', you can regenerate the VPN Signing CA on the 'Advanced' tab - you don't want that.

    You want the 'HTTPS CAs' tab of 'Web Protection >> Filtering Options'.  Regenerating the Proxy CA does not change the 'Local X509 Cert' that is used for SSL VPN or anything else in the VPNs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,

     

    thanks for quick replies...

    however, I am certain I clicked "Regenerate"  for Signing CA in "Web Protection/Filtering Options/ HTTPS CAs"...

    and nothing, no feedback info is given on that...

    and tommorrow all hell broke lose with VPN ?!?!...

    so I restored UTM backup, and now is everything OK except certificate expiry....

    again, I did that, I can try again but how to propagate "new" certificate around?

     

    Best regards,

    Kresimir

  • 0 in reply to Krešimir Jurić

    Krešimir, you ca confirm that the CAs are unrelated.  At the command line as root, find the REF_ for the certificate used by the SSL VPN:

    cc get ssl_vpn 'certificate'

    That will give you something like REF_CaHosLocalX509Cert, and you can see the REF_ for the CA for that certificate with:

    cc get_object REF_CaHosLocalX509Cert|grep ca

    Now, to see which CA is used for HTTPS in Web Filtering:

    cc get ca ca_proxies

    The result should be a different REF_ than for the CA for the SSL VPN certificate.

    You said, "I can try again but how to propagate "new" certificate around?"

    See section 5A/B of Configuring HTTP/S proxy access with AD SSO for quick suggestions.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?