08-15-2018 01:02 AM - edited 03-08-2019 05:42 PM
A developer raised a ticket that he were unable to update packages from files.pythonhosted.org and several other related sites.
Doing some troubleshooting, the user were able to connect to the site, from outside the corp network.
We checked ASA for denies, FirePower for blocks and Umbrella for blocked DNS entries. Umbrella did not have a block for https://files.pythonhosted.org, and we were able to browse for the site. But packages did still fail.
Output from the update tool threw an error about "..unable to validate certificate..", so I checked that the client were able to connect to all AIA's in the certificate chain. Some AIA pointers failed, but the entire chain were vaild. But just to make sure I reconfigured the DNS to Google, and the update tool worked!
Back to Umbrella, no blocks for files.pythonhosted.org, but added the sites and the others to the global allow list and then it all worked.
The only thing that struck me, was that files.pythonhosted.org's certificate were issued by Umbrella!
Did I miss some configuration in Umbrella?
08-15-2018 03:17 PM - edited 08-15-2018 03:19 PM
Hi,
If Umbrella blocks the site it will be redirected to Umbrella, that's why you probably see the Umbrella certification.
Not sure why it would have been blocked, you have Log All or Log Only Security activated on the policy that was used?
br, Mikael
08-15-2018 11:19 PM
We didn't get any redirect when we accessed the site via chrome or IE.
Just checked this moment, and the certificate on the site is now issued by Global sign, and not Umbrella as we saw previously.
Did the Umbrella certificate indicate that the site was blocked, but the browser somehow messed up the page?
Don't know about logging - how do I confirm this setting? If I use "Activity Search" and throw in "files.pythonhosted.org" and Blocked, there's nothing?
08-16-2018 01:57 PM
If you look in the policy under advanced options you will find Logging settings.
Yes if the client was using https and redirected to Umbrella because of block, you would need to have the root certificate installed from Umbrella on that client for the page to work.
You have the root certificate download link under the same advanced settings in the policy.
br, Mikael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide