Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Felipe_Muraska
Participant
Jump to solution

HTTPS Inspection errors

Hello Team,

I have configured the HTTPs inspcetion created the outbound certifcate installed on the machines as well however from time to time legit HTTPs pages says the website is not safe , looking at log I see only empty_ssl_conn and nothing further. Also there are some desktop bank APPs that also cant connect saying error with the certificates

I`m attaching a screenshot of the issue.

Tried to clear cache on browser

update broswers (IE, FireFox, Chrome)

running r80.10 take 91 and take 103

Issues has been happening since R77.X

1 Solution

Accepted Solutions
cstueckrath
Collaborator

find an affected client and look at the certificate chain of the failing certificate.

Figure out, if the root ca cert is

  1. displayed
  2. trusted

If it is not trusted, look at the trusted store. Figure out, why it is not there or why it doesn't match.

Also, try to find out if all https sites fail or just some (might be related to sk104717)

View solution in original post

14 Replies
cstueckrath
Collaborator

I suspect the outbound certificate to be the root cause.

Is it really a CA or intermediate CA certificate?

Please share a screenshot of the chain as well

0 Kudos
Felipe_Muraska
Participant

Hello Christian

It is a CA that was created. not all of the users report errors

Please find attached some details

0 Kudos
cstueckrath
Collaborator

I see the root ca certificate as not trusted. You have to import it to your computer's trusted root CAs

0 Kudos
Felipe_Muraska
Participant

its been imported already on customer network, the screenshot was just from my computer ( not part of customer network). but still errors are generated.

0 Kudos
cstueckrath
Collaborator

find an affected client and look at the certificate chain of the failing certificate.

Figure out, if the root ca cert is

  1. displayed
  2. trusted

If it is not trusted, look at the trusted store. Figure out, why it is not there or why it doesn't match.

Also, try to find out if all https sites fail or just some (might be related to sk104717)

Felipe_Muraska
Participant

Thank you, will check on that

Also, do I need to upload that certificate to the Trusted CA tabs on HTTPS inspcetion ?

0 Kudos
Felipe_Muraska
Participant

Hello Crhis

I was able to replicate the issue in the lab and sk104717 was spot on for the bank APPs.

For the browser Im thinking its a issue on the deployment, since it on my lab worked fine using the CP certificate to all URLs

0 Kudos
Pedro_Espindola
Advisor

Hello Felipe,

Please hit F12 on your browser, go to "Security" tab and check what errors the browser found.

Post them here so we can further help you.

0 Kudos
Felipe_Muraska
Participant

Hi Pedro,

I`m trying to get a testing machine on customer`s environment to begin testing to replicate the issue, just wanted to see if anyone else had this problem and how they solved since the issue does not appear to all customers

0 Kudos
Pedro_Espindola
Advisor

If the issue does not appear to all users it might be a failure to deploy the CA certificate to all costumers.

From the screeshots you sent it seems to be a simple issue of untrusted CA.

You should hit F12 and check the Security tab, where the browser will tell you exactly why the connection is not safe.

0 Kudos
Felipe_Muraska
Participant

Also, do I need to upload that certificate to the Trusted CA tabs on HTTPS inspcetion ?

0 Kudos
Marco_Valenti
Advisor

It should be not needed , did you select in the https policy the right certificate that you have uploaded to the management?

0 Kudos
Felipe_Muraska
Participant

Another thing came up

I enabled the enhanced_ssl_inspection for non browser APPS would work and worked great, however I stopped servind my ceritificate to the users, is there a way to fix that ? non browser APPs work and as well my certificate is delivered to end user ?

0 Kudos
Pedro_Espindola
Advisor

What do you mean by "stopped serving the certificate to the end user"?

Some apps use their own CA certificates repository, not the repository of the system. For instance, Firefox browser does not read the certificates installed in Windows, you have to install it again to the Firefox repository. Check if any of your Apps or browsers have this problem.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events