https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49283#M57993 <P>It’s impossible for a gateway to be running R80.20.M2 because that’s a Management-only release. What is the gateway actually running here? Also, is this happening consistently for specific sites or at&nbsp;random?</P> Sat, 30 Mar 2019 16:03:19 GMT PhoneBoy 2019-03-30T16:03:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49217#M57992 <P>Hi all,</P><P>I have a gateway running 80.20 M2 and I recently enabled SSL Inspection for a small group. It is working correctly (I see our cert in the browser and no warnings), but I see some strange errors in the logs and sometimes in the browser about the "certificate chain not signed by a trusted CA".</P><P>When I look at the certificate, it seems to be missing the original CA and didn't insert our CA/cert.</P><P>For example, normal certs look like: DigicertCA--&gt;<A href="http://www.CDWG.com" target="_blank">www.CDWG.com</A><BR />Inspection working: MYEnterpriseCA--&gt;<A href="http://www.CDWG.com" target="_blank">www.CDWG.com</A><BR />When I see errors it looks like: <A href="http://www.CDWG.com" target="_blank">www.CDWG.com</A></P><P>Am I missing something?</P><P>Thanks!</P><P>--Ben</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Firewall log" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/537i881FE0E0F8F14247/image-size/large?v=v2&amp;px=999" role="button" title="2019-03-29 12_45_01-csd8-management - Remote Desktop Connection Manager v2.7.png" alt="2019-03-29 12_45_01-csd8-management - Remote Desktop Connection Manager v2.7.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Browser cert" style="width: 552px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/538i30C2E6AB1910C805/image-size/large?v=v2&amp;px=999" role="button" title="2019-03-29 12_54_01-Certificate Viewer_ “www.cdwg.com”.png" alt="2019-03-29 12_54_01-Certificate Viewer_ “www.cdwg.com”.png" /></span></P><P>&nbsp;</P> Fri, 29 Mar 2019 16:54:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49217#M57992 Benjamin_Lamber 2019-03-29T16:54:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49283#M57993 <P>It’s impossible for a gateway to be running R80.20.M2 because that’s a Management-only release. What is the gateway actually running here? Also, is this happening consistently for specific sites or at&nbsp;random?</P> Sat, 30 Mar 2019 16:03:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49283#M57993 PhoneBoy 2019-03-30T16:03:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49286#M57995 <P>Hi&nbsp;<A href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/6068" target="_blank">@Benjamin_Lamber</A>&nbsp;</P> <P>the DigiCert certificate is not in R80.20 root certificate store.</P> <P>So you get a certificate chain error.</P> Sat, 30 Mar 2019 17:14:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49286#M57995 HeikoAnkenbrand 2019-03-30T17:14:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49287#M57996 <P>Look at this sk:</P> <P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk114679&amp;partition=Advanced&amp;product=HTTPS" target="_self">sk114679 - HTTPS Bypass (with Site Category) not working for Servers with Self-Signed Certificate</A></P> Sat, 30 Mar 2019 17:20:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49287#M57996 HeikoAnkenbrand 2019-03-30T17:20:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49290#M57997 <P>Here the root certificate. <FONT color="#FF0000">This certificate is not in the root certificate store.</FONT></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_20190330-180412_Chrome.jpg" style="width: 470px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/545i3823D0F82A5661CB/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot_20190330-180412_Chrome.jpg" alt="Screenshot_20190330-180412_Chrome.jpg" /></span></P> Sat, 30 Mar 2019 17:39:30 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49290#M57997 HeikoAnkenbrand 2019-03-30T17:39:30Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49293#M57998 <P>Here the intermediate certificate:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_20190330-183202_Chrome.jpg" style="width: 445px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/547i25C8F1BA40AB55D9/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot_20190330-183202_Chrome.jpg" alt="Screenshot_20190330-183202_Chrome.jpg" /></span></P> Sat, 30 Mar 2019 17:32:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49293#M57998 HeikoAnkenbrand 2019-03-30T17:32:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49296#M57999 <P>And here the web server certificate:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_20190330-182852_Chrome.jpg" style="width: 453px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/548iE23254D0A31BA2F5/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot_20190330-182852_Chrome.jpg" alt="Screenshot_20190330-182852_Chrome.jpg" /></span></P> Sat, 30 Mar 2019 17:34:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49296#M57999 HeikoAnkenbrand 2019-03-30T17:34:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49297#M58000 <P>Sorry for the german names in the pictures.&nbsp;I write on a samsung tab s4 and I cannot change the browser to english.</P> Sat, 30 Mar 2019 17:37:35 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49297#M58000 HeikoAnkenbrand 2019-03-30T17:37:35Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49472#M58001 <P>Thank you, this was ultimately the issue. For some reason Check Point did not have Digicert Global Root G2/G3 in the certificate store. I was able to download them from their support site and add them.</P><P>Is there a way to ensure that the Check Point cert store is being automatically updated, apart from checking the box?</P><P>Thank you very much!</P><P>--Ben</P> Mon, 01 Apr 2019 14:37:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Chain-Errors/m-p/49472#M58001 Benjamin_Lamber 2019-04-01T14:37:25Z