This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Felipe_Muraska
Participant
‎2018-08-24 05:24 AM

HTTPS Inspection errors

Jump to solution

Hello Team,

I have configured the HTTPs inspcetion created the outbound certifcate installed on the machines as well however from time to time legit HTTPs pages says the website is not safe , looking at log I see only empty_ssl_conn and nothing further. Also there are some desktop bank APPs that also cant connect saying error with the certificates

I`m attaching a screenshot of the issue.

Tried to clear cache on browser

update broswers (IE, FireFox, Chrome)

running r80.10 take 91 and take 103

Issues has been happening since R77.X

Preview file
46 KB
1 Solution

Accepted Solutions
cstueckrath
Contributor
‎2018-08-24 06:36 AM
In response to Felipe_Muraska

Jump to solution

find an affected client and look at the certificate chain of the failing certificate.

Figure out, if the root ca cert is

  1. displayed
  2. trusted

If it is not trusted, look at the trusted store. Figure out, why it is not there or why it doesn't match.

Also, try to find out if all https sites fail or just some (might be related to sk104717)

View solution in original post

14 Replies
cstueckrath
Contributor
‎2018-08-24 06:15 AM

Jump to solution

I suspect the outbound certificate to be the root cause.

Is it really a CA or intermediate CA certificate?

Please share a screenshot of the chain as well

0 Kudos
Felipe_Muraska
Participant
‎2018-08-24 06:24 AM
In response to cstueckrath

Jump to solution

Hello Christian

It is a CA that was created. not all of the users report errors

Please find attached some details

Preview file
74 KB
0 Kudos
cstueckrath
Contributor
‎2018-08-24 06:27 AM
In response to Felipe_Muraska

Jump to solution

I see the root ca certificate as not trusted. You have to import it to your computer's trusted root CAs

0 Kudos
Felipe_Muraska
Participant
‎2018-08-24 06:29 AM
In response to cstueckrath

Jump to solution

its been imported already on customer network, the screenshot was just from my computer ( not part of customer network). but still errors are generated.

0 Kudos
cstueckrath
Contributor
‎2018-08-24 06:36 AM
In response to Felipe_Muraska

Jump to solution

find an affected client and look at the certificate chain of the failing certificate.

Figure out, if the root ca cert is

  1. displayed
  2. trusted

If it is not trusted, look at the trusted store. Figure out, why it is not there or why it doesn't match.

Also, try to find out if all https sites fail or just some (might be related to sk104717)

Felipe_Muraska
Participant
‎2018-08-24 06:46 AM
In response to cstueckrath

Jump to solution

Thank you, will check on that

Also, do I need to upload that certificate to the Trusted CA tabs on HTTPS inspcetion ?

0 Kudos
Felipe_Muraska
Participant
‎2018-08-24 12:44 PM
In response to cstueckrath

Jump to solution

Hello Crhis

I was able to replicate the issue in the lab and sk104717 was spot on for the bank APPs.

For the browser Im thinking its a issue on the deployment, since it on my lab worked fine using the CP certificate to all URLs

0 Kudos
Pedro_Espindola
Advisor
‎2018-08-24 06:26 AM

Jump to solution

Hello Felipe,

Please hit F12 on your browser, go to "Security" tab and check what errors the browser found.

Post them here so we can further help you.

0 Kudos
Felipe_Muraska
Participant
‎2018-08-24 06:30 AM
In response to Pedro_Espindola

Jump to solution

Hi Pedro,

I`m trying to get a testing machine on customer`s environment to begin testing to replicate the issue, just wanted to see if anyone else had this problem and how they solved since the issue does not appear to all customers

0 Kudos
Pedro_Espindola
Advisor
‎2018-08-24 12:40 PM
In response to Felipe_Muraska

Jump to solution

If the issue does not appear to all users it might be a failure to deploy the CA certificate to all costumers.

From the screeshots you sent it seems to be a simple issue of untrusted CA.

You should hit F12 and check the Security tab, where the browser will tell you exactly why the connection is not safe.

0 Kudos
Felipe_Muraska
Participant
‎2018-08-24 06:26 AM

Jump to solution

Also, do I need to upload that certificate to the Trusted CA tabs on HTTPS inspcetion ?

0 Kudos
Marco_Valenti
Advisor
‎2018-08-24 08:47 AM
In response to Felipe_Muraska

Jump to solution

It should be not needed , did you select in the https policy the right certificate that you have uploaded to the management?

0 Kudos
Felipe_Muraska
Participant
‎2018-08-27 02:33 PM

Jump to solution

Another thing came up

I enabled the enhanced_ssl_inspection for non browser APPS would work and worked great, however I stopped servind my ceritificate to the users, is there a way to fix that ? non browser APPs work and as well my certificate is delivered to end user ?

0 Kudos
Pedro_Espindola
Advisor
‎2018-08-29 09:23 AM
In response to Felipe_Muraska

Jump to solution

What do you mean by "stopped serving the certificate to the end user"?

Some apps use their own CA certificates repository, not the repository of the system. For instance, Firefox browser does not read the certificates installed in Windows, you have to install it again to the Firefox repository. Check if any of your Apps or browsers have this problem.

0 Kudos