Create a Post
Showing results for 
Search instead for 
Did you mean: 

https inspection on R80.30 JHF 219 - SAN error on client


I have a problem with HTTPS inspection and SAN cert on R80.30 JHF 219.


The scenario:

HTTPS inspection is enabled with a self-signed cert from the gateway itself and imported unto the clients.

Application Control, URL filtering and IP Sec VPN is enabled.

HTTPS inspection policy is default.


The clients get a cert error when connecting to their company website, which is hosted at a third party hosting-partner.

The certificate coming from contains these details:

  • CN =
  • Issuer = Let's Encrypt

Subject Alt Names:

Public Key info:

  • Algorithm = Elliptic Curve
  • Key Size = 384
  • etc etc etc.

When you access the website, it redirects you to and this is where it gives an error on the client when https inspection is enabled. Disabling HTTPS inspection makes it work normally.


Looking in the firewall log I see this:

HTTPS Validation: Invalid CRL Retrived


Description: Detected

Description: No Valid CRL. Certificate DN) '' Requested Server Name:


It looks to me like the firewall does not like that the FQDN that the request gets redirected to is not the one in CN.

Can I do something about that, generally, so HTTPS inspection takes SAN into consideration?


Something regarding this should have been fixed in our version (219), but not enough I guess: (article refers to SAN only being checked first time, should have been fixed in version 195)


0 Kudos
1 Reply

This might be a bug and I highly recommend a TAC case.
You can potentially work around this by disabling CRL checking in SmartDashboard (shown here):

Screen Shot 2021-06-24 at 7.57.31 AM.png

0 Kudos