Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 18852 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM v 9.503-4 certificate problem

Krešimir Jurić

Hello,

got message from UTM:

1 certificate(s) will expire within the next 30 days:

Proxy CA

 

when I clicked Regenerate button, next day - no SSL VPN client could connect, so I restored backup...

but I do have problem: some users have certificate for Proxy CA expiring on 25.11.2017.

I have "permanent": expiring 01.01.2038.

after backup restore, all clients can connect with SSL VPN client...

but I can't connect on User Management page for users from my LAN to DLoad latest VPN package, all VPN users have Remote Access enabled..

checked link bellow, but as I said - regenerate isn't solving issue at hand...

https://community.sophos.com/products/unified-threat-management/f/general-discussion/93165/proxy-ca-certificate-is-expiring

https://community.sophos.com/products/unified-threat-management/f/management-networking-logging-and-reporting/93319/warning-about-expiring-certs-since-update-to-9-5

https://community.sophos.com/kb/en-us/126962

 

Thanks for any suggestion.

 

KJuric

 



This thread was automatically locked due to age.
Parents
  • +1

    Hi,

     

    Sophos Support tweeted this yesterday:

    Advisory: Regenerating the Web Proxy CA on UTM 9.5 causes certificate based VPN connections to fail. Please do not regenerate the CA.^sg

    If you have done this. Please read our KB article for available workaround:

    https://community.sophos.com/kb/en-us/127759

     

  • 0 in reply to KaySeemann

    Thanks, Kay.  I was just about to recommend to my clients that they Up2date from 9.413 to 9.505.  I'll wait for this to be worked out.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello,

    thanks for support...

    as I wrote before, after clicking "Regenerate", and whole pandemonium after that, I restored configuration and now wait for November 25th :-)

    Please do notify me when this update will be available, and if there will be any new procedure for regenerating CA's...

     

    Best regards,

     

    Kresimir

  • 0 in reply to Krešimir Jurić

    Hello,

    I updated UTM to latest FW: 9.505-4

    restarted it, made backup.

    Done testing:

    on my private PC, with NO company certificates in certificate stores, started Sophos SSL VPN Client (it has two certificates under iconfig folder in C:\Program Files..., named after my remote site, and description is Company_Name VPN CA - those are only two certificates fom my company, but they are not in certificate store)

    VPN works fine..

    OK, so I logged in to UTM - Web Protection - Filtering Options - HTTPS CAs -under Signing CA, downloaded certificate, checked it expires on November 25th.

    I clicked "Regenerate" button, confirmed all fields are OK (even set old administrators e-mail address from IT who worked before me, tried both my, new address, and his)

    restarted UTM, logged in, downloaded regenerated certificate, it is valid from today, November 4th 2017 till Jan 1st 2038...

    but now, VPN isn't working, constantly I get errors in SSL VPN Client (pic down)

     

    I strikethrough: 1- public IP address, 2 - Company name, 3- admin e-address (old admin)

    What does Signing CA has to do with VPN, as VPN client has its own certificate in installation?

    Should I after regenerating Signing CA go to User portal of UTM and download new SL VPN Client package (it is generated for each Remote Access user per se)?

    Of course, as I wrote, I made backup, and restored it so I can connect over VPN, but I am running out of time...

Reply
  • 0 in reply to Krešimir Jurić

    Hello,

    I updated UTM to latest FW: 9.505-4

    restarted it, made backup.

    Done testing:

    on my private PC, with NO company certificates in certificate stores, started Sophos SSL VPN Client (it has two certificates under iconfig folder in C:\Program Files..., named after my remote site, and description is Company_Name VPN CA - those are only two certificates fom my company, but they are not in certificate store)

    VPN works fine..

    OK, so I logged in to UTM - Web Protection - Filtering Options - HTTPS CAs -under Signing CA, downloaded certificate, checked it expires on November 25th.

    I clicked "Regenerate" button, confirmed all fields are OK (even set old administrators e-mail address from IT who worked before me, tried both my, new address, and his)

    restarted UTM, logged in, downloaded regenerated certificate, it is valid from today, November 4th 2017 till Jan 1st 2038...

    but now, VPN isn't working, constantly I get errors in SSL VPN Client (pic down)

     

    I strikethrough: 1- public IP address, 2 - Company name, 3- admin e-address (old admin)

    What does Signing CA has to do with VPN, as VPN client has its own certificate in installation?

    Should I after regenerating Signing CA go to User portal of UTM and download new SL VPN Client package (it is generated for each Remote Access user per se)?

    Of course, as I wrote, I made backup, and restored it so I can connect over VPN, but I am running out of time...

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?