topic HTTPS Inspection Broken Certificate Chain on websites in Firewall and Security Management

HTTPS Inspection Broken Certificate Chain on websites

jberg712 — Thu, 22 Aug 2024 20:49:47 GMT

I wanted to find out if other people have this issue. We occasionally run into websites that display untrusted certificate errors when in fact these sites do have trusted certificate. A detect log indicates that the Certificate Chain is not signed by a Trusted CA, which is NOT TRUE. It is signed, but when I run the test with www.ssllabs.com, they state the website has a broken chain. It's a certificate from a valid CA, just whoever installed the certificate on these sites, may not know how to install them properly to include the full chain. The sites i'm actually speaking of that we've had the most trouble with are 'usda.gov' sites. The most current one is 'usdalinc.sc.egov.usda.gov'. It seems like what SOMETIMES fixes this is adding the server certificate into the trusted CA. OR i just have to do a bypass which I'd rather not do.

Is there anything or any other option that corrects this issue? That can leave things to where they're inspected, but not indicate the site is untrusted just because of a broken chain on their end? I just want to get other people's take on what they do for this particular scenario.

Re: HTTPS Inspection Broken Certificate Chain on websites

CaseyB — Thu, 22 Aug 2024 21:01:49 GMT

I am running R81.10 JHF 150 with HTTPS inspection, the website you provided is working fine for me with no certificate issues.

Are you automatically downloading and updating your CA certs?

Is your Trusted CA drop-down list empty? (it should be)

Re: HTTPS Inspection Broken Certificate Chain on websites

jberg712 — Thu, 22 Aug 2024 21:06:02 GMT

We are running R81.20 JHF 79. We are set to download and update the Trusted CAs automatically.

The Add CA list does have some certificates in it. We did run a cpm_doc and I saw where some CAs were listed, but I don't know how to clean those up. How do we remove those? Or what do we do with those? Our list under Add shows 14 objects out of 497.

Re: HTTPS Inspection Broken Certificate Chain on websites

CaseyB — Thu, 22 Aug 2024 21:43:01 GMT

If you only have 14 items in the list, I would just click on them to manually add and then do a publish / install.

Not sure with regards to the cpm_doc.

Re: HTTPS Inspection Broken Certificate Chain on websites

the_rock — Fri, 23 Aug 2024 15:53:51 GMT

I have ssl inspection lab on same versions, just tested those sites, no issues.

Andy

Re: HTTPS Inspection Broken Certificate Chain on websites

jberg712 — Wed, 28 Aug 2024 20:29:57 GMT

Let me ask this. What sort of issues are there with Certificates being in the drop down list under 'Add'. The reason why they are there is because most of them are expired and some were user added certificates to 3rd parties that we no longer use. So, when I removed them from the big list of Trusted CAs, I'm guessing they ended up there. I don't really need those certificates/CAs anymore. If they're in that list, even though they've expired/no longer in use, what harm or issue does it create?

Re: HTTPS Inspection Broken Certificate Chain on websites

Alex- — Thu, 29 Aug 2024 05:23:17 GMT

I recall an SK, I believe the HTTPS Inspection Best Practices, stating that adding the CA manually in the list is the way to go, I used to do this from time to time for specific sites from a tool like ssllabs, but hadn't seen this issue recently.

You're correct and your expired certificates won't be used anyway so you can leave them out of the main list.

Re: HTTPS Inspection Broken Certificate Chain on websites

CaseyB — Thu, 29 Aug 2024 19:32:25 GMT

The only issue with certificates being in the drop-down list is, if you browse to a website using that specific certificate in the drop-down list, then you will get an error message while using HTTPS inspection as it is not trusted.

In the case of your specific scenario, the website is using "Entrust Certification Authority - L1K" & "Entrust Root Certification Authority - G2", so those should not be in the drop-down list, if they are, please add them.