This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
aks_2512
Explorer
‎2023-05-22 05:22 AM

https inspection - NET::ERR_CERT_AUTHORITY_INVALID error

hi, we setup a vm and created an https inspection policy rule to allow access to "Internet" on port https/443 and set the action to inspect and to use the outbound_certificate. Before the rule was set, the vm was able to access internet sites ok. After the https inspection rule was enabled and policy installed, access to any internet website pops up with NET::ERR_CERT_AUTHORITY_INVALID error. 

we use sub-CA on the gateway issued by our enterprise root CA. This sub-CA is present in the Trusted CA's of the gateway object. 

root CA cert is installed on the vm under trusted root ca. I have also exported the sub-CA cert from the https inspection tab of the gateway and imported it under root ca of the vm (tried it under intermediate ca and third party ca as well). 

checkpoint logs show http validation == untrusted certificate. reboot of the vm did not help either. 

using version r81.10

not sure what am i missing.. any suggestions please. Thank you in advance.

 

0 Kudos
10 Replies
G_W_Albrecht
Legend
Legend
‎2023-05-22 06:49 AM

Maybe https://support.checkpoint.com/results/sk/sk112722 ?

CCSE CCTE CCSM SMB Specialist
0 Kudos
aks_2512
Explorer
‎2023-05-22 11:29 PM
In response to G_W_Albrecht

Tried this, same error. 

0 Kudos
G_W_Albrecht
Legend
Legend
‎2023-05-23 08:16 AM
In response to aks_2512

I would suggest to contact CP TAC to get this resolved !

CCSE CCTE CCSM SMB Specialist
the_rock
Legend
Legend
‎2023-05-23 09:41 AM
In response to aks_2512

I agree with Guenther, please work with TAC to get this solved, might be much faster via remote session.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-05-22 11:49 AM

If its under trusted root, that sounds right. Here is how customer I worked with on this issue last year fixed it, maybe you can confirm this. Also, make sure that automatic update is checked in https legacy dashboard (its under blades tab in smart console)

Andy

 

Screenshot_1.png

0 Kudos
aks_2512
Explorer
‎2023-05-22 11:40 PM
In response to the_rock

automatic updates already checked in the legacy dashboard.

Viewing the cert from the url bar gives - Issued by - Common name = Untrusted. 

0 Kudos
the_rock
Legend
Legend
‎2023-05-23 03:50 AM
In response to aks_2512

I have fully working https inspection lab, will check later.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-05-23 06:44 AM
In response to aks_2512

I have fully working https inspection lab, will check later.

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-05-23 06:45 AM
In response to aks_2512

Btw, just checked and that error might not be cert issue necessarily. Do you get this for any given browser and on every machine or you just tested on one?

Andy

https://www.hostinger.com/tutorials/err_cert_authority_invalid

0 Kudos
_Val_
Admin
Admin
‎2023-05-26 02:21 AM

When using a sub-CA root cert, make sure the whole chain is included and can be validated through CLRs. If not, the actual certificate will be shown as untrusted.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events