This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Felipe_Muraska
Participant
‎2018-08-24 05:24 AM
Jump to solution

HTTPS Inspection errors

Hello Team,

I have configured the HTTPs inspcetion created the outbound certifcate installed on the machines as well however from time to time legit HTTPs pages says the website is not safe , looking at log I see only empty_ssl_conn and nothing further. Also there are some desktop bank APPs that also cant connect saying error with the certificates

I`m attaching a screenshot of the issue.

Tried to clear cache on browser

update broswers (IE, FireFox, Chrome)

running r80.10 take 91 and take 103

Issues has been happening since R77.X

ssl-erros.JPG
Preview file
46 KB
1 Solution

Accepted Solutions
cstueckrath
Collaborator
‎2018-08-24 06:36 AM
In response to Felipe_Muraska
Jump to solution

find an affected client and look at the certificate chain of the failing certificate.

Figure out, if the root ca cert is

  1. displayed
  2. trusted

If it is not trusted, look at the trusted store. Figure out, why it is not there or why it doesn't match.

Also, try to find out if all https sites fail or just some (might be related to sk104717)

View solution in original post

14 Replies
cstueckrath
Collaborator
‎2018-08-24 06:15 AM
Jump to solution

I suspect the outbound certificate to be the root cause.

Is it really a CA or intermediate CA certificate?

Please share a screenshot of the chain as well

0 Kudos
Felipe_Muraska
Participant
‎2018-08-24 06:24 AM
In response to cstueckrath
Jump to solution

Hello Christian

It is a CA that was created. not all of the users report errors

Please find attached some details

cert.docx
Preview file
74 KB
0 Kudos
cstueckrath
Collaborator
‎2018-08-24 06:27 AM
In response to Felipe_Muraska
Jump to solution

I see the root ca certificate as not trusted. You have to import it to your computer's trusted root CAs

0 Kudos
Felipe_Muraska
Participant
‎2018-08-24 06:29 AM
In response to cstueckrath
Jump to solution

its been imported already on customer network, the screenshot was just from my computer ( not part of customer network). but still errors are generated.

0 Kudos
cstueckrath
Collaborator
‎2018-08-24 06:36 AM
In response to Felipe_Muraska
Jump to solution

find an affected client and look at the certificate chain of the failing certificate.

Figure out, if the root ca cert is

  1. displayed
  2. trusted

If it is not trusted, look at the trusted store. Figure out, why it is not there or why it doesn't match.

Also, try to find out if all https sites fail or just some (might be related to sk104717)

Felipe_Muraska
Participant
‎2018-08-24 06:46 AM
In response to cstueckrath
Jump to solution

Thank you, will check on that

Also, do I need to upload that certificate to the Trusted CA tabs on HTTPS inspcetion ?

0 Kudos
Felipe_Muraska
Participant
‎2018-08-24 12:44 PM
In response to cstueckrath
Jump to solution

Hello Crhis

I was able to replicate the issue in the lab and sk104717 was spot on for the bank APPs.

For the browser Im thinking its a issue on the deployment, since it on my lab worked fine using the CP certificate to all URLs

0 Kudos
Pedro_Espindola
Advisor
‎2018-08-24 06:26 AM
Jump to solution

Hello Felipe,

Please hit F12 on your browser, go to "Security" tab and check what errors the browser found.

Post them here so we can further help you.

0 Kudos
Felipe_Muraska
Participant
‎2018-08-24 06:30 AM
In response to Pedro_Espindola
Jump to solution

Hi Pedro,

I`m trying to get a testing machine on customer`s environment to begin testing to replicate the issue, just wanted to see if anyone else had this problem and how they solved since the issue does not appear to all customers

0 Kudos
Pedro_Espindola
Advisor
‎2018-08-24 12:40 PM
In response to Felipe_Muraska
Jump to solution

If the issue does not appear to all users it might be a failure to deploy the CA certificate to all costumers.

From the screeshots you sent it seems to be a simple issue of untrusted CA.

You should hit F12 and check the Security tab, where the browser will tell you exactly why the connection is not safe.

0 Kudos
Felipe_Muraska
Participant
‎2018-08-24 06:26 AM
Jump to solution

Also, do I need to upload that certificate to the Trusted CA tabs on HTTPS inspcetion ?

0 Kudos
Marco_Valenti
Advisor
‎2018-08-24 08:47 AM
In response to Felipe_Muraska
Jump to solution

It should be not needed , did you select in the https policy the right certificate that you have uploaded to the management?

0 Kudos
Felipe_Muraska
Participant
‎2018-08-27 02:33 PM
Jump to solution

Another thing came up

I enabled the enhanced_ssl_inspection for non browser APPS would work and worked great, however I stopped servind my ceritificate to the users, is there a way to fix that ? non browser APPs work and as well my certificate is delivered to end user ?

0 Kudos
Pedro_Espindola
Advisor
‎2018-08-29 09:23 AM
In response to Felipe_Muraska
Jump to solution

What do you mean by "stopped serving the certificate to the end user"?

Some apps use their own CA certificates repository, not the repository of the system. For instance, Firefox browser does not read the certificates installed in Windows, you have to install it again to the Firefox repository. Check if any of your Apps or browsers have this problem.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    li.common.scroll-to.top