Results 1 to 8 of 8
  1. #1
    Master Untangler
    Join Date
    Jun 2015
    Location
    NW Arkansas
    Posts
    234

    Default Server Certificate Verification - Missing?

    Just saw this thread has been closed. Am unable to figure this out:
    https://forums.untangle.com/ssl-insp...sing-cert.html

    My NGFW is reporting a server cert verification missing for all 3 - HTTPS, SMTPS, IPSEC.

    Am using a Comodo Wildcard SSL Certificate to access my NGFW externally without issue. Under Config > Admin > Certificates, this SSL is checked for HTTPS, SMTPS, IPSEC.

    Under Config > Network > Hostname, I have input my hostname + domain and selected the option to: Use Hostname.

    Yet this missing error continues in top right of screen on NGFW 13.2.

    If I attempt to Generate a new Certificate Authority, it doesn't rectify the issue.

    If I generate a new Server Certificate and input my full hostname as the CN, then select this new server cert, checking off HTTPS, the missing error goes away, however I am then unable to access the NGFW remotely securely. I receive a browser exception since it can't verify the certificate.

    Can't quite tell, but seems this may be a bug with the verification not being re-checked when hostname is updated and matches a verified authority.

  2. #2
    Master Untangler
    Join Date
    Jun 2015
    Location
    NW Arkansas
    Posts
    234

    Default Server Certificate Verification - Missing?

    Have since opened a support ticket for this. Canít find a way in NGFW 13.2 to refresh the missing cert checks after a third party SSL cert uploaded.

    As a result SSL Inspector not working.

    Sent from my iPhone using Tapatalk

  3. #3
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,389

    Default

    You cannot use a purchased certificate with inspector. You cannot purchase a certificate that's value for the whole world.

    You can use a wildcard certificate on your Untangle for administrative purposes, but that's all.

    It sound to me like it's working properly, you're just trying to do something you simply cannot do.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  4. #4
    Master Untangler
    Join Date
    Jun 2015
    Location
    NW Arkansas
    Posts
    234

    Default

    Thanks Sky-night. Good info. Now understand why it's not possible to use a purchased SSL cert for both the HTTPS webadmin and SSL inspector. But is it possible to use a purchase SSL for remote access of webadmin, then generate a new server CERT AUTHORITY on the NGFW to be used for SSL inspector?

    Sorry if I misunderstood. Wasn't sure whether both were possible.
    Last edited by miles267; 02-12-2018 at 01:24 PM.

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    be careful of using the word "certificate" to describe both a certificate and a certificate authority.
    I know a lot of people do it, but thats where a lot of this confusion is coming from.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,389

    Default

    Quote Originally Posted by miles267 View Post
    Thanks Sky-night. Good info. Now understand why it's not possible to use a purchased SSL cert for both the HTTPS webadmin and SSL inspector. But is it possible to use a purchase SSL for remote access of webadmin, then generate a new server CERT AUTHORITY on the NGFW to be used for SSL inspector?

    Sorry if I misunderstood. Wasn't sure whether both were possible.
    Yes, they are both very separate things. When you look at config -> administration -> certificates the screen is split in half.

    The Certificate Authority section is what you manipulate to work with SSL inspector. From there you can generate a new authority, and download it's root certificate for deployment to end points.

    The Server Certificates section is what you manipulate to control what SSL certificate is used by the admin interface.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Master Untangler
    Join Date
    Jun 2015
    Location
    NW Arkansas
    Posts
    234

    Default

    Quote Originally Posted by sky-knight View Post
    The Certificate Authority section is what you manipulate to work with SSL inspector. From there you can generate a new authority, and download it's root certificate for deployment to end points.
    Thanks for clarifying. When generating a new Certificate Authority, what should be input for the CN? For example, if my hostname=example and domain=domain.com.

    Under Config > Network > Hostname, my settings are:
    hostname: example
    domain:domain.com
    Radio button is selected as: Use hostname.

    Perhaps this should actually be: Use IP Address from External Interface (Default)?

  8. #8
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,891

    Default

    The CN can be most anything.

    The real trick will be getting all of your devices to TRUST your new certificate authority after you've created it.
    miles267 likes this.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.4.1 to protect 500Mbits for ~450 residential college students and associated staff and faculty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2