Solved: HTTPS Certificate validation - SK159872

Michael_Horne · ‎2021-10-06

Hello All,

I am facing a detect messages in the logs with certificate validation issue. After investigations we are not able to determine why the certificate validation is failing, certificates are valid, the CA is trusted etc. Checking SK159872 there is command to do some debugging that might help "fw ctl set int appi_urlf_ssl_certficate_validation_log_enabled 1", but this is not working on our gateways (R80.40), we get a "set operation failed: failed to get parameter appi_urlf_ssl_certficate_validation_log_enabled"

Is there another way to get more information about why the certificates are being logged as "Untrusted Certificate"

Many thanks,

Michael

Michael_Horne · ‎2021-10-07

Hello All,

Issue solved. The affected clients were not using a proxy and the site was not using the local Internet access. Both of these points may need to be addressed soon. The traffic was passing through the local network segmentation firewall and then through perimeter firewall. Both firewalls were doing HTTPS inspection of this traffic. I forgot to mention that we had just replace the certificate for the HTTPS inspection as the old one had expired. The local network segmentation security gateway was see the HTTPS signed by the HTTPS inspection certificate by the perimeter security gateway. the local network segmentation gateway was not trusting HTTPS traffic signed by the HTTPS inspection certificate (that it was also using itself for HTTP inspection). We made sure that the customer root CA and that the customer intermediate CA used by the HTTPS inspection certificate were also a trusted CA. Neither of these solved the issue. We had to add the HTTPS inspection certificate itself as a trusted CA. After that the issue was solved.

View solution in original post

the_rock · ‎2021-10-06

Let me see if I can do some tests in my lab with this...you are right about kernel value, its definitely wrong. I get same error if I do it in R81.10 as well.

Andy

Best,
Andy

SSlater · ‎2021-10-06

I've seen cases where if the trust chain is not in the correct order, then Check Point will not accept it as valid, ensure that the Certificate is correctly crafted.

IPS/WSTLSD is sensitive to discrepancies that we might not notice initially reviewing the certificate details.

If this does not yield answers, and you need more information, a WSTLSD Debug would be more aligned, the command you mentioned is not recommended.

If you don't see more information under "More - Description" I recommend raising a case with TAC to assist with gathering more info.

https://sc1.checkpoint.com/sc/SolutionsStatics/sk159872/expired_cert1909100631.PNG

the_rock · ‎2021-10-07

Those are all good points, true.

Best,
Andy

Michael_Horne · ‎2021-10-07

Hello All,

Issue solved. The affected clients were not using a proxy and the site was not using the local Internet access. Both of these points may need to be addressed soon. The traffic was passing through the local network segmentation firewall and then through perimeter firewall. Both firewalls were doing HTTPS inspection of this traffic. I forgot to mention that we had just replace the certificate for the HTTPS inspection as the old one had expired. The local network segmentation security gateway was see the HTTPS signed by the HTTPS inspection certificate by the perimeter security gateway. the local network segmentation gateway was not trusting HTTPS traffic signed by the HTTPS inspection certificate (that it was also using itself for HTTP inspection). We made sure that the customer root CA and that the customer intermediate CA used by the HTTPS inspection certificate were also a trusted CA. Neither of these solved the issue. We had to add the HTTPS inspection certificate itself as a trusted CA. After that the issue was solved.

Are you a member of CheckMates?

HTTPS Certificate validation - SK159872

HTTPS Certificate validation - SK159872