topic Re: HTTPS Inspection errors in Firewall and Security Management

HTTPS Inspection errors

Felipe_Muraska — Fri, 24 Aug 2018 12:24:35 GMT

Hello Team,

I have configured the HTTPs inspcetion created the outbound certifcate installed on the machines as well however from time to time legit HTTPs pages says the website is not safe , looking at log I see only empty_ssl_conn and nothing further. Also there are some desktop bank APPs that also cant connect saying error with the certificates

I`m attaching a screenshot of the issue.

Tried to clear cache on browser

update broswers (IE, FireFox, Chrome)

running r80.10 take 91 and take 103

Issues has been happening since R77.X

Re: HTTPS Inspection errors

cstueckrath — Fri, 24 Aug 2018 13:15:18 GMT

I suspect the outbound certificate to be the root cause.

Is it really a CA or intermediate CA certificate?

Please share a screenshot of the chain as well

Re: HTTPS Inspection errors

Felipe_Muraska — Fri, 24 Aug 2018 13:24:20 GMT

Hello Christian

It is a CA that was created. not all of the users report errors

Please find attached some details

Re: HTTPS Inspection errors

Pedro_Espindola — Fri, 24 Aug 2018 13:26:01 GMT

Hello Felipe,

Please hit F12 on your browser, go to "Security" tab and check what errors the browser found.

Post them here so we can further help you.

Re: HTTPS Inspection errors

Felipe_Muraska — Fri, 24 Aug 2018 13:26:02 GMT

Also, do I need to upload that certificate to the Trusted CA tabs on HTTPS inspcetion ?

Re: HTTPS Inspection errors

cstueckrath — Fri, 24 Aug 2018 13:27:46 GMT

I see the root ca certificate as not trusted. You have to import it to your computer's trusted root CAs

Re: HTTPS Inspection errors

Felipe_Muraska — Fri, 24 Aug 2018 13:29:31 GMT

its been imported already on customer network, the screenshot was just from my computer ( not part of customer network). but still errors are generated.

Re: HTTPS Inspection errors

Felipe_Muraska — Fri, 24 Aug 2018 13:30:24 GMT

Hi Pedro,

I`m trying to get a testing machine on customer`s environment to begin testing to replicate the issue, just wanted to see if anyone else had this problem and how they solved since the issue does not appear to all customers

Re: HTTPS Inspection errors

cstueckrath — Fri, 24 Aug 2018 13:36:19 GMT

find an affected client and look at the certificate chain of the failing certificate.

Figure out, if the root ca cert is

displayed
trusted

If it is not trusted, look at the trusted store. Figure out, why it is not there or why it doesn't match.

Also, try to find out if all https sites fail or just some (might be related to sk104717)

Re: HTTPS Inspection errors

Felipe_Muraska — Fri, 24 Aug 2018 13:46:10 GMT

Thank you, will check on that

Also, do I need to upload that certificate to the Trusted CA tabs on HTTPS inspcetion ?

Re: HTTPS Inspection errors

Marco_Valenti — Fri, 24 Aug 2018 15:47:01 GMT

It should be not needed , did you select in the https policy the right certificate that you have uploaded to the management?

Re: HTTPS Inspection errors

Pedro_Espindola — Fri, 24 Aug 2018 19:40:54 GMT

If the issue does not appear to all users it might be a failure to deploy the CA certificate to all costumers.

From the screeshots you sent it seems to be a simple issue of untrusted CA.

You should hit F12 and check the Security tab, where the browser will tell you exactly why the connection is not safe.

Re: HTTPS Inspection errors

Felipe_Muraska — Fri, 24 Aug 2018 19:44:02 GMT

Hello Crhis

I was able to replicate the issue in the lab and sk104717 was spot on for the bank APPs.

For the browser Im thinking its a issue on the deployment, since it on my lab worked fine using the CP certificate to all URLs

Re: HTTPS Inspection errors

Felipe_Muraska — Mon, 27 Aug 2018 21:33:21 GMT

Another thing came up

I enabled the enhanced_ssl_inspection for non browser APPS would work and worked great, however I stopped servind my ceritificate to the users, is there a way to fix that ? non browser APPs work and as well my certificate is delivered to end user ?

Re: HTTPS Inspection errors

Pedro_Espindola — Wed, 29 Aug 2018 16:23:08 GMT

What do you mean by "stopped serving the certificate to the end user"?

Some apps use their own CA certificates repository, not the repository of the system. For instance, Firefox browser does not read the certificates installed in Windows, you have to install it again to the Firefox repository. Check if any of your Apps or browsers have this problem.