Results 1 to 10 of 10
  1. #1
    Untanglit
    Join Date
    Oct 2015
    Posts
    15

    Default SSL Inspector not recogizing trusted certificate

    Hello, apologies if this has been asked before but I could not find any information on it. I got a free 90-day SSL cert from Comodo to try out on my network as I am hoping to replace the self signed default cert provided with untangle.

    I got the comodo cert installed and the internal webserver shows as a valid cert in Firefox. Since I use SSL Inspector, I am trying to have it use that Comodo cert instead of the untangle cert so as to avoid importing the self signed cert into Firefox repository. Reason is the cert.db for Firefox keeps getting clogged and causes page loading delays of "performing TLS handshake". So I thought adding a trusted cert would relieve that issue.

    I added the comodo cert to the trusted cert list in SSL inspector but it still insists on using the self signed untangle cert even though I have checked all boxes under Administration > Certificates to point to the Comodo. I even rebooted Untangle but it still won't work. So any site that I configured under rules to inspect will not load indicating invalid cert, meaning it is trying to use the untangle self sign cert when not installed. What am I missing?

    My Untangle Build: 14.1.2
    Last edited by Evancool; 06-18-2019 at 08:59 PM.

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    A cert is not the same thing as a certificate authority.
    Are you trying to use your cert instead of one generated by the CA in untangle? Thats not going to work. You need to import the root CA.

    If you are talking about the cert a browser gets when a https session is SSL inspected, it will be a cert generated from the root CA from within untangle, allowing it to do inspection. This has nothing to do with the cert used for https services on the untangle device itself.
    Last edited by dmorris; 06-18-2019 at 09:14 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untanglit
    Join Date
    Oct 2015
    Posts
    15

    Default

    Thanks for the reply. So if I am understanding correctly, installing a Comodo CA is completely pointless?

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,163

    Default

    You do not have a CA (Certificate Authority), you have a domain certificate.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,747

    Default

    Quote Originally Posted by Evancool View Post
    Thanks for the reply. So if I am understanding correctly, installing a Comodo CA is completely pointless?
    Depends on why you need it. It will allow you to access some local https services (admin, quarantine, reports, etc) without a cert warning
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untanglit
    Join Date
    Oct 2015
    Posts
    15

    Default

    Understood. My primary browser is Firefox (latest version) which uses its own certificate repository unlike IE and Chrome. So Firefox stores self signed certs into a cert8.db and cert9.db in the user profile. Upon researching a firefox forum, an issue I was having with webpage loading latency could be resolved by deleting those db files and let firefox regenerate them. Of course this meant reimporting the untangle cert.

    Over a period of a couple weeks, the problem returns with the page loading latency where firefox stalls on “performing a TLS handshake”. As part of my troubleshooting, I hypothesized that SSL Inspector had compatibility issues with Firefox where each time I visited a page to be inspected, Firefox would store another instance of that self signed untangle cert in the db file eventually bloating the file and causing the latency.

    So my thought process was to try a supported ssl cert from comodo to see if that would resolve the issue of firefox bloating its db file since it would theoretically mean that it would not have to store the self signed cert over and over again. At least I think that is what is happening.

    But now that I know configuring SSL Inspector to use that comodo cert is not possible, I guess I will just have to find another solution.

  7. #7
    Newbie
    Join Date
    Jul 2019
    Location
    Darwin, Au
    Posts
    6

    Default

    I have found installing a domain validated CA cert allows remote https access to my system dashboard but doesnt let SSL Inspector work.

    And changing back to use the untangle certs breaks access via SSL.

    What am I doing wrong?

  8. #8
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,163

    Default

    SSL Inspector uses its own Certificate Authority (not domain certificate). These are separate and completely different. Certificate Authority generates domain certificates on the fly for SSL inspection.
    skearton likes this.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    Newbie
    Join Date
    Jul 2019
    Location
    Darwin, Au
    Posts
    6

    Default

    As soon as I do step 4 from these instructions I get an SSL error for an untrusted domain for the web interface of my untangle server.

    https://support.untangle.com/hc/en-u...ficate-on-NGFW

  10. #10
    Untangle Ninja f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    1,088

    Default

    "COMpfun successor Reductor infects files on the fly to compromise TLS traffic"
    https://tinyurl.com/y65annbn
    Vanguard Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2