This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
aMatthew
Contributor
‎2024-05-22 11:55 AM
Jump to solution

Problem with ssl certificate - Quantum spark 1590

Good evening, everyone,

I hope someone can help me in this issue :

A few weeks ago we updated the ssl certificate for both the gateway portal and the VPN client.

Currently the portal is exposed on port 4434 while 443 is used for VPN RA.

When I access the portal on port 4434 the certificate is displayed correctly and the expiration date is correct .

However, if I check on port 443 it tells me that the certificate has expired, showing me the date of the last certificate.

We cleared all the cache and there is no trace of the old certificate.

We have opened a case at TAC and it tells us that all the operations were done correctly.

However on any site that checks on the certificate (ssl shopper or Qualys) it tells us that the certificate has expired.

It is the quantum spark 1590 series.

Has anyone ever encountered such an issue ?

Has the gateway already been rebooted/updated and any other tests with TAC

Thank you all.

 

0 Kudos
1 Solution

Accepted Solutions
aMatthew
Contributor
‎2024-07-30 01:12 AM
In response to Ted_Serreyn
Jump to solution

hi ted,

as already discussed the problem is related to DB corruption.

Although the new certificate is loaded, doing an ssl check still detects the old expiration date.

I solved it this way:

1. Delete $FWDIR/conf/fwauth.NDB.
2. Run 'sfwd_restart'
3. Run 'vpn_configload;fw reconf_sfwd'
4. Add a new local user (it might be a temporary user, just to apply the change),
5. Optional : re-add the 3rd party certificate.

 

View solution in original post

0 Kudos
12 Replies
Lesley
MVP Gold
MVP Gold
‎2024-05-22 12:18 PM
Jump to solution

I don't think it is possible as listed in: https://support.checkpoint.com/results/sk/sk110533

  • The Quantum Spark Appliance always presents its internal VPN certificate when it tries to establish a connection between the client endpoint and the site. The client host does not have this certificate installed.
  • The VPN site certificate changed.

Solution

This is expected behavior.

Locally Managed Quantum Spark (SMB) appliances do not support internal certificate administration. These appliances always present their own VPN certificate, even if there are other certificates installed on the appliances.

Note - You can verify the internal certificate in the appliance WebUI: Device > Certificates (Internal Certificate). This page shows two certificates: Internal CA Certificate and Internal VPN Certificate. 

 

They speak of local managed gateways, what about this gateway?

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
aMatthew
Contributor
‎2024-05-22 12:28 PM
In response to Lesley
Jump to solution

Hi lesley,

I don't know if I explained myself well , I try to clarify:

Until a few weeks ago we had a third-party certificate that worked for both the web portal (port 4434) and the RA VPN (port 443) .
When we renewed the certificate if we connect to example.com:4434 the expiration date is correct. If we connect to https://example.com it keeps giving us the old expiration date.

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2024-05-22 12:39 PM
In response to aMatthew
Jump to solution

So it is central or local management what steps or guide you have followed? 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos
Ted_Serreyn
Collaborator
‎2024-07-26 09:29 AM
Jump to solution

I have seen this multiple time with renewal of third party certificates and was just about to open a ticket on this.  The main portal on 4434 uses the new certificate successfully, but the SSL portal still used the old (expired) certificate.  The only work around I have found is to undo the certificate, turn off the SSL, reboot the box, then re-install the new certificate and turn ssl portal back on.

 

I believe that this is a problem where the ssl portal is storing this certificate elsewhere and it is not being updated when the ssl certificate is updated.

 

Given the amount of time that we have all been using SSL certificates, you would think that these cert renewals would be straight forward by now and update correctly.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-26 11:51 AM
In response to Ted_Serreyn
Jump to solution

Just to clarify, you mean the SNX portal, correct?

0 Kudos
aMatthew
Contributor
‎2024-07-26 11:56 AM
In response to PhoneBoy
Jump to solution

Hi PhoneBoy,

thanks for the comment.

the problem was solved by the TAC after a long analysis.

We deleted some files and references of the old certificate via CLI. In these days I will try to publish the solution .

thank you all for your time .

0 Kudos
Ted_Serreyn
Collaborator
‎2024-07-29 02:42 PM
In response to PhoneBoy
Jump to solution

technically yes, but not how it is displayed or labeled on a 1500 series box running R81.10.10 or later.

 

Screenshot 2024-07-29 164022.png

 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-29 04:22 PM
In response to Ted_Serreyn
Jump to solution

Would be “SSL VPN” in that screenshot.
Had the SNX Portal on my mind for a different thread 😉

0 Kudos
aMatthew
Contributor
‎2024-07-26 11:56 AM
In response to Ted_Serreyn
Jump to solution

Hi Ted ,

thanks for the comment.

the problem was solved by the TAC after a long analysis.

We deleted some files and references of the old certificate via CLI. In these days I will try to publish the solution .

thank you all for your time .

0 Kudos
aMatthew
Contributor
‎2024-07-30 01:12 AM
In response to Ted_Serreyn
Jump to solution

hi ted,

as already discussed the problem is related to DB corruption.

Although the new certificate is loaded, doing an ssl check still detects the old expiration date.

I solved it this way:

1. Delete $FWDIR/conf/fwauth.NDB.
2. Run 'sfwd_restart'
3. Run 'vpn_configload;fw reconf_sfwd'
4. Add a new local user (it might be a temporary user, just to apply the change),
5. Optional : re-add the 3rd party certificate.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-30 07:16 AM
In response to aMatthew
Jump to solution

You can replace step 4 with fw_configload which does a full policy recompile.

0 Kudos
genisis__
MVP Silver
MVP Silver
‎2026-01-30 12:23 PM
In response to PhoneBoy
Jump to solution

I'm not sure this classes as the same issue, but I've uploaded some external certificates (device and cluster) to spark devices I have in order to replace the default device cert presented for administration over port 4434.  

In the WEBUI its applied. I raised a TAC case, and was a little surprised what they told me, I need to also install the certificate on the client! (I hoping this is just a communication issue).

We are not running any VPNs on these device, and the objective is for the valid certificate to be presented to the client when we attempt to access the WEBUI.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events