topic Re: https inspection - NET::ERR_CERT_AUTHORITY_INVALID error in Firewall and Security Management

https inspection - NET::ERR_CERT_AUTHORITY_INVALID error

aks_2512 — Mon, 22 May 2023 12:22:26 GMT

hi, we setup a vm and created an https inspection policy rule to allow access to "Internet" on port https/443 and set the action to inspect and to use the outbound_certificate. Before the rule was set, the vm was able to access internet sites ok. After the https inspection rule was enabled and policy installed, access to any internet website pops up with NET::ERR_CERT_AUTHORITY_INVALID error.

we use sub-CA on the gateway issued by our enterprise root CA. This sub-CA is present in the Trusted CA's of the gateway object.

root CA cert is installed on the vm under trusted root ca. I have also exported the sub-CA cert from the https inspection tab of the gateway and imported it under root ca of the vm (tried it under intermediate ca and third party ca as well).

checkpoint logs show http validation == untrusted certificate. reboot of the vm did not help either.

using version r81.10

not sure what am i missing.. any suggestions please. Thank you in advance.

Re: https inspection - NET::ERR_CERT_AUTHORITY_INVALID error

G_W_Albrecht — Mon, 22 May 2023 13:49:38 GMT

Maybe https://support.checkpoint.com/results/sk/sk112722 ?

Re: https inspection - NET::ERR_CERT_AUTHORITY_INVALID error

the_rock — Mon, 22 May 2023 18:50:17 GMT

If its under trusted root, that sounds right. Here is how customer I worked with on this issue last year fixed it, maybe you can confirm this. Also, make sure that automatic update is checked in https legacy dashboard (its under blades tab in smart console)

Andy

Re: https inspection - NET::ERR_CERT_AUTHORITY_INVALID error

aks_2512 — Tue, 23 May 2023 06:29:12 GMT

Tried this, same error.

Re: https inspection - NET::ERR_CERT_AUTHORITY_INVALID error

aks_2512 — Tue, 23 May 2023 06:40:33 GMT

automatic updates already checked in the legacy dashboard.

Viewing the cert from the url bar gives - Issued by - Common name = Untrusted.

Re: https inspection - NET::ERR_CERT_AUTHORITY_INVALID error

the_rock — Tue, 23 May 2023 10:50:50 GMT

I have fully working https inspection lab, will check later.

Andy

Re: https inspection - NET::ERR_CERT_AUTHORITY_INVALID error

the_rock — Tue, 23 May 2023 13:44:49 GMT

I have fully working https inspection lab, will check later.

Andy

Re: https inspection - NET::ERR_CERT_AUTHORITY_INVALID error

the_rock — Tue, 23 May 2023 13:45:39 GMT

Btw, just checked and that error might not be cert issue necessarily. Do you get this for any given browser and on every machine or you just tested on one?

Andy

https://www.hostinger.com/tutorials/err_cert_authority_invalid

Re: https inspection - NET::ERR_CERT_AUTHORITY_INVALID error

G_W_Albrecht — Tue, 23 May 2023 15:16:31 GMT

I would suggest to contact CP TAC to get this resolved !

Re: https inspection - NET::ERR_CERT_AUTHORITY_INVALID error

the_rock — Tue, 23 May 2023 16:41:42 GMT

I agree with Guenther, please work with TAC to get this solved, might be much faster via remote session.

Andy

Re: https inspection - NET::ERR_CERT_AUTHORITY_INVALID error

_Val_ — Fri, 26 May 2023 09:21:00 GMT

When using a sub-CA root cert, make sure the whole chain is included and can be validated through CLRs. If not, the actual certificate will be shown as untrusted.