cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2698
Views
0
Helpful
7
Replies

Ironport WSA S380 AsyncOS 8.8.0 UNRECOGNIZED_ROOT_CERT Issue

lide.one
Level 1
Level 1

Hi,

I have problems with our Cisco WSA S380 with activated https inspection .
Several https websites don't open. For example the Account Manager on cisco.com

 

First a certificate error message appears in the browser and WSA gives the following output:

 

Datum: Wed, 29 Jul 2015 08:23:09 GMT
 Benutzername: <removed>
 Quell-IP: <removed>
 URL: GET https://slogin.cisco.com/obrareq.cgi?wh%3Dtools-prod1.cisco.com%20wu%3D%2FRPFA%2Fprofile%2Fprofile_management.do%20wo%3D1%20rh%3Dhttp%3A%2F%2Ftools.cisco.com%20ru%3D%252FRPFA%252Fprofile%252Fprofile_management.do
 Kategorie: Computers and Internet
 Grund: UNRECOGNIZED_ROOT_CERT
 Meldung: CERT_INVALID

 

2nd Website with the same behaviour:

Datum: Wed, 29 Jul 2015 08:29:27 GMT
Benutzername: <removed>
Quell-IP: <removed>
URL: GET https://www.sdk.at/
Kategorie: Business and Industry
Grund: UNRECOGNIZED_ROOT_CERT
Meldung: CERT_INVALID
 

 

Does anybody know why this happens?

 

Regards,

Roman

7 Replies 7

I hav found that occasionally the WSA can't put the whole cert chain together.  I don't know if its a bug in the WSA or if the web servers have an issue.   to work around it I upload the intermediate cert  that the site is using to the WSA.

 

Go to the website in question on a browser that isn't behind the WSA.  Click on the lock icon hat appears in the address bar of the browser an look at the chain.  Save the intermediate and root cert as a Base64 pem file.    

On the WSA, Go Security Services/HTTPS Proxy, click on the Manage Root Certs button.

Upload the intermediate and root cert.  Once uploaded, the root may be marked as already present. If so you can delete it. Commit the change and test...

Hi Ken,

 

thank you for your response. I have tried your workaround but it doesn't work.

I have uploaded the intermediate certificates to WSA and committed the changes but the error message appears the same like without the intermediate certificates.

Now I deleted the root certificate because it was already in the WSA.
I tested again and the certificate warning appeared as well but the website opened.

Is this a normal behaviour?

You shouldnt get the warning... 

I have seen this happen when the proxy didnt restart at the commit time.  Doing a kicking the prospxy, or making another config change that forced it to restart cleared it up.

A reboot of WSA helped, but I can't imagine that all of that works as designed!

 

Thank you!

Yeah, that didn't work the way it should.  When you committed the change to the certs, it should have picked it up, but I've seen it NOT pick it up, requiring a proxy restart.

 

You can restart the proxy WITHOUT rebooting from the cli:

wsav> diagnostic

Choose the operation you want to perform:
- NET - Network Diagnostic Utility.
- PROXY - Proxy Debugging Utility.
- REPORTING - Reporting Utilities.
[]> proxy

- SNAP    - Take a snapshot of the proxy
- OFFLINE - Take the proxy offline (via WCCP)
- RESUME  - Resume proxy traffic via (via WCCP)
- CACHE   - Clear proxy cache
[]> kick

 

OR in the GUI, change logging level on WCCP, or any other change that notifies you that it requires a proxy restart.

 

Side note for others following: Cert management is under Network/Certificate Management... I think it moved in 8.5?

The Problem is actually a bug: CSCug82979

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: