Results 1 to 6 of 6
  1. #1
    Untanglit
    Join Date
    Oct 2015
    Posts
    15

    Default SSL Inspector not recogizing trusted certificate

    Hello, apologies if this has been asked before but I could not find any information on it. I got a free 90-day SSL cert from Comodo to try out on my network as I am hoping to replace the self signed default cert provided with untangle.

    I got the comodo cert installed and the internal webserver shows as a valid cert in Firefox. Since I use SSL Inspector, I am trying to have it use that Comodo cert instead of the untangle cert so as to avoid importing the self signed cert into Firefox repository. Reason is the cert.db for Firefox keeps getting clogged and causes page loading delays of "performing TLS handshake". So I thought adding a trusted cert would relieve that issue.

    I added the comodo cert to the trusted cert list in SSL inspector but it still insists on using the self signed untangle cert even though I have checked all boxes under Administration > Certificates to point to the Comodo. I even rebooted Untangle but it still won't work. So any site that I configured under rules to inspect will not load indicating invalid cert, meaning it is trying to use the untangle self sign cert when not installed. What am I missing?

    My Untangle Build: 14.1.2
    Last edited by Evancool; 06-18-2019 at 08:59 PM.

  2. #2
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,729

    Default

    A cert is not the same thing as a certificate authority.
    Are you trying to use your cert instead of one generated by the CA in untangle? Thats not going to work. You need to import the root CA.

    If you are talking about the cert a browser gets when a https session is SSL inspected, it will be a cert generated from the root CA from within untangle, allowing it to do inspection. This has nothing to do with the cert used for https services on the untangle device itself.
    Last edited by dmorris; 06-18-2019 at 09:14 PM.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untanglit
    Join Date
    Oct 2015
    Posts
    15

    Default

    Thanks for the reply. So if I am understanding correctly, installing a Comodo CA is completely pointless?

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    7,840

    Default

    You do not have a CA (Certificate Authority), you have a domain certificate.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,729

    Default

    Quote Originally Posted by Evancool View Post
    Thanks for the reply. So if I am understanding correctly, installing a Comodo CA is completely pointless?
    Depends on why you need it. It will allow you to access some local https services (admin, quarantine, reports, etc) without a cert warning
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untanglit
    Join Date
    Oct 2015
    Posts
    15

    Default

    Understood. My primary browser is Firefox (latest version) which uses its own certificate repository unlike IE and Chrome. So Firefox stores self signed certs into a cert8.db and cert9.db in the user profile. Upon researching a firefox forum, an issue I was having with webpage loading latency could be resolved by deleting those db files and let firefox regenerate them. Of course this meant reimporting the untangle cert.

    Over a period of a couple weeks, the problem returns with the page loading latency where firefox stalls on “performing a TLS handshake”. As part of my troubleshooting, I hypothesized that SSL Inspector had compatibility issues with Firefox where each time I visited a page to be inspected, Firefox would store another instance of that self signed untangle cert in the db file eventually bloating the file and causing the latency.

    So my thought process was to try a supported ssl cert from comodo to see if that would resolve the issue of firefox bloating its db file since it would theoretically mean that it would not have to store the self signed cert over and over again. At least I think that is what is happening.

    But now that I know configuring SSL Inspector to use that comodo cert is not possible, I guess I will just have to find another solution.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2