Guest User!

You are not Sophos Staff.

Thread Info
  • Locked Locked
  • Replies 0 replies
  • Subscribers 2 subscribers
  • Views 2818 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM9, OpenVPN/SSL-VPN with SOPHOS as Intermediate Signing CA

Michael Bruegmann

Hey,

maybe some of you tried this allready and were wondering like me, why the client connection fails and the sophos logs error "VERIFY ERROR: depth=2, error=self signed certificate in certificate chain...".

First of all, if you issued an intermediate signing ca cert for your sophos (e.g. based on an existing pki in your company network) you have to uplaod all the issuer certs in the chain into the "CA" store of your sophos before you upload the issued intermediate signing ca cert.

Here are the two things the sophos does not right in this configuration...

(1) If you download the OpenVPN (SSL-VPN) client configuration for a user the sophos does not include the root ca cert (and all intermediate ca certs) into the "*.ovpn" file. It adds only her own signing ca cert (always believing its a default self signed root ca...);

So you have to add all issuer certs of the chain (PEM format) into the "<ca><⁄ca>" section of the "*.ovpn" file. Don't worry, the "<ca><⁄ca>" section can contain as many certs a needed.

(2) The OpenVPN server itself must be able to find all issuer certs too. They are searched here "/var/sec/chroot-openvpn/etc/openvpn/ca.d" (name format "<subject_hash>.0"). But, sophos only stores her signing ca cert here too (still believing its a default self signed root ca...);

All uploaded verification ca certs are stored here "/var/sec/chroot-ipsec/etc/ipsec.d/cacerts". They get a "REF_CaVer<...>.pem" name. You can determine the right name(s) by displaying the "printable configuration" (section "site_to_site_vpn"/"ca"/"verification ca").

So all you have to do now is:

Sign into SSH shell and navigate to "/var/sec/chroot-openvpn/etc/openvpn/ca.d". Use "ln" to create a link "/var/sec/chroot-ipsec/etc/ipsec.d/cacerts/REF_CaVer<...>.pem" to "<subject_hash>.0".

To find the right hash value of your issuer certs you can use the "printable configuration" too. For each verfication ca you'll find a "certificate meta information" (it's a "REF_CaMet..." object). This information contains the "subject_hash" value you must use to name the link.

Be aware, that a firmware update may delete all links created under "/var/sec/chroot-openvpn/etc/openvpn/ca.d". So you have to recreate them after an update before OpenVPN clients can connect again.

Hope this info helps someone and hoping this will be fixed some day...

Michael



This thread was automatically locked due to age.
Unfiltered HTML