Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
aks_2512
Explorer

https inspection - NET::ERR_CERT_AUTHORITY_INVALID error

hi, we setup a vm and created an https inspection policy rule to allow access to "Internet" on port https/443 and set the action to inspect and to use the outbound_certificate. Before the rule was set, the vm was able to access internet sites ok. After the https inspection rule was enabled and policy installed, access to any internet website pops up with NET::ERR_CERT_AUTHORITY_INVALID error. 

we use sub-CA on the gateway issued by our enterprise root CA. This sub-CA is present in the Trusted CA's of the gateway object. 

root CA cert is installed on the vm under trusted root ca. I have also exported the sub-CA cert from the https inspection tab of the gateway and imported it under root ca of the vm (tried it under intermediate ca and third party ca as well). 

checkpoint logs show http validation == untrusted certificate. reboot of the vm did not help either. 

using version r81.10

not sure what am i missing.. any suggestions please. Thank you in advance.

 

0 Kudos
10 Replies
G_W_Albrecht
Legend Legend
Legend

Maybe https://support.checkpoint.com/results/sk/sk112722 ?

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
aks_2512
Explorer

Tried this, same error. 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

I would suggest to contact CP TAC to get this resolved !

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend

I agree with Guenther, please work with TAC to get this solved, might be much faster via remote session.

Andy

0 Kudos
the_rock
Legend
Legend

If its under trusted root, that sounds right. Here is how customer I worked with on this issue last year fixed it, maybe you can confirm this. Also, make sure that automatic update is checked in https legacy dashboard (its under blades tab in smart console)

Andy

 

Screenshot_1.png

0 Kudos
aks_2512
Explorer

automatic updates already checked in the legacy dashboard.

Viewing the cert from the url bar gives - Issued by - Common name = Untrusted. 

0 Kudos
the_rock
Legend
Legend

I have fully working https inspection lab, will check later.

Andy

0 Kudos
the_rock
Legend
Legend

I have fully working https inspection lab, will check later.

Andy

0 Kudos
the_rock
Legend
Legend

Btw, just checked and that error might not be cert issue necessarily. Do you get this for any given browser and on every machine or you just tested on one?

Andy

https://www.hostinger.com/tutorials/err_cert_authority_invalid

0 Kudos
_Val_
Admin
Admin

When using a sub-CA root cert, make sure the whole chain is included and can be validated through CLRs. If not, the actual certificate will be shown as untrusted.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events