https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-quot-Certificate-chain-is-inconsistent-quot-for/m-p/168793#M28077 <P>Browsing to a website such as <A href="http://www.thisdomain.io" target="_blank" rel="noopener">www.thisdomain.io</A> which uses a *.thisdomain.io wildcard certificate and the firewall blocks it saying</P><P class="lia-indent-padding-left-30px"><STRONG>"Certificate chain is inconsistent. Certificate DN: 'CN=*.thisdomain.io' Requested Server Name: <A href="http://www.thisdomain.io" target="_blank" rel="noopener">www.thisdomain.io</A> See sk159872"</STRONG>.</P><P>Everything in sk article checks out and I'm not seeing any issues. What's odd is the example in the sk even shows a wildcard. Is it having an issue with the .io TLD?</P><P>What's even odder is that the website works sporadically. No issues if browsing the website off-premise (i.e. not going through a cpfw). R81.10 latest JHF.</P> Mon, 23 Jan 2023 18:11:32 GMT B_P 2023-01-23T18:11:32Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-quot-Certificate-chain-is-inconsistent-quot-for/m-p/168793#M28077 <P>Browsing to a website such as <A href="http://www.thisdomain.io" target="_blank" rel="noopener">www.thisdomain.io</A> which uses a *.thisdomain.io wildcard certificate and the firewall blocks it saying</P><P class="lia-indent-padding-left-30px"><STRONG>"Certificate chain is inconsistent. Certificate DN: 'CN=*.thisdomain.io' Requested Server Name: <A href="http://www.thisdomain.io" target="_blank" rel="noopener">www.thisdomain.io</A> See sk159872"</STRONG>.</P><P>Everything in sk article checks out and I'm not seeing any issues. What's odd is the example in the sk even shows a wildcard. Is it having an issue with the .io TLD?</P><P>What's even odder is that the website works sporadically. No issues if browsing the website off-premise (i.e. not going through a cpfw). R81.10 latest JHF.</P> Mon, 23 Jan 2023 18:11:32 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-quot-Certificate-chain-is-inconsistent-quot-for/m-p/168793#M28077 B_P 2023-01-23T18:11:32Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-quot-Certificate-chain-is-inconsistent-quot-for/m-p/168812#M28086 <P>See if below helps:</P> <P><A href="https://community.checkpoint.com/t5/Security-Gateways/HTTPS-Certificate-validation-SK159872/td-p/131158" target="_blank">https://community.checkpoint.com/t5/Security-Gateways/HTTPS-Certificate-validation-SK159872/td-p/131158</A></P> <P>Btw, I dont think TLD matters here at all.</P> Mon, 23 Jan 2023 21:49:33 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-quot-Certificate-chain-is-inconsistent-quot-for/m-p/168812#M28086 the_rock 2023-01-23T21:49:33Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-quot-Certificate-chain-is-inconsistent-quot-for/m-p/168840#M28092 <P>This is most likely a side effect of SNI Verification and something on the remote end that isn't configured correctly...perhaps on only on one server in a pool of them.<BR />You might need the TAC to assist in debugging this.</P> Tue, 24 Jan 2023 04:28:37 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-quot-Certificate-chain-is-inconsistent-quot-for/m-p/168840#M28092 PhoneBoy 2023-01-24T04:28:37Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-quot-Certificate-chain-is-inconsistent-quot-for/m-p/168861#M28097 <P>You could check <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk105559&amp;partition=Advanced&amp;product=HTTPS" target="_blank" rel="noopener">sk105559 -&nbsp;</A><SPAN><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk105559&amp;partition=Advanced&amp;product=HTTPS" target="_blank" rel="noopener">How to debug the WSTLSD daemon</A> also.</SPAN></P> Tue, 24 Jan 2023 09:05:23 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-quot-Certificate-chain-is-inconsistent-quot-for/m-p/168861#M28097 Alex- 2023-01-24T09:05:23Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-quot-Certificate-chain-is-inconsistent-quot-for/m-p/169944#M28255 <P>Looks like there's no issues:</P><BLOCKQUOTE><HR />WSTLSD log:<BR /><P>[1 Feb 9:39:12] fwCert_cache::val_free: free fwCert from Cache. refCount: 0, CN=*.thisdomain.io<BR />[1 Feb 9:39:12] fwCert_cache::Put: added fwCert 0xab10200 to cache<BR />[1 Feb 9:39:12] fwCert_cache::Get: added new cert object to cache: *.thisdomain.io<BR />[1 Feb 9:39:12] fwCert_cache::Get: cache hit for : 16<BR />[1 Feb 9:39:12] cpSRSA_imp::Verify: Entering...<BR />[1 Feb 9:39:12] kmsg_read_local: 9 kmsgs handled</P><P>[1 Feb 9:39:12] Comparing SNI <A href="http://www.thisdomain.io" target="_blank">www.thisdomain.io</A> against 2 alternative names<BR />[1 Feb 9:39:12] SNI matches alternate name *.thisdomain.io<BR />[1 Feb 9:39:12] Comparing SNI <A href="http://www.thisdomain.io" target="_blank">www.thisdomain.io</A> against 2 alternative names<BR />[1 Feb 9:39:12] SNI matches alternate name *.thisdomain.io</P><HR /></BLOCKQUOTE><P>&nbsp;</P> Wed, 01 Feb 2023 15:49:44 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-quot-Certificate-chain-is-inconsistent-quot-for/m-p/169944#M28255 B_P 2023-02-01T15:49:44Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-quot-Certificate-chain-is-inconsistent-quot-for/m-p/169949#M28256 <P>I scanned it with Qualys and it got a B grade as it has chain, alternative name and SNI issues...... I guess I'll reach out to them.</P> Wed, 01 Feb 2023 16:03:45 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-quot-Certificate-chain-is-inconsistent-quot-for/m-p/169949#M28256 B_P 2023-02-01T16:03:45Z