Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
B_P
Advisor

HTTPS Inspection: "Certificate chain is inconsistent" for wildcard domain?

Browsing to a website such as www.thisdomain.io which uses a *.thisdomain.io wildcard certificate and the firewall blocks it saying

"Certificate chain is inconsistent. Certificate DN: 'CN=*.thisdomain.io' Requested Server Name: www.thisdomain.io See sk159872".

Everything in sk article checks out and I'm not seeing any issues. What's odd is the example in the sk even shows a wildcard. Is it having an issue with the .io TLD?

What's even odder is that the website works sporadically. No issues if browsing the website off-premise (i.e. not going through a cpfw). R81.10 latest JHF.

5 Replies
the_rock
Legend
Legend

0 Kudos
PhoneBoy
Admin
Admin

This is most likely a side effect of SNI Verification and something on the remote end that isn't configured correctly...perhaps on only on one server in a pool of them.
You might need the TAC to assist in debugging this.

B_P
Advisor

I scanned it with Qualys and it got a B grade as it has chain, alternative name and SNI issues...... I guess I'll reach out to them.

0 Kudos
Alex-
Advisor
Advisor

0 Kudos
B_P
Advisor

Looks like there's no issues:


WSTLSD log:

[1 Feb 9:39:12] fwCert_cache::val_free: free fwCert from Cache. refCount: 0, CN=*.thisdomain.io
[1 Feb 9:39:12] fwCert_cache::Put: added fwCert 0xab10200 to cache
[1 Feb 9:39:12] fwCert_cache::Get: added new cert object to cache: *.thisdomain.io
[1 Feb 9:39:12] fwCert_cache::Get: cache hit for : 16
[1 Feb 9:39:12] cpSRSA_imp::Verify: Entering...
[1 Feb 9:39:12] kmsg_read_local: 9 kmsgs handled

[1 Feb 9:39:12] Comparing SNI www.thisdomain.io against 2 alternative names
[1 Feb 9:39:12] SNI matches alternate name *.thisdomain.io
[1 Feb 9:39:12] Comparing SNI www.thisdomain.io against 2 alternative names
[1 Feb 9:39:12] SNI matches alternate name *.thisdomain.io


 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events