You know what, it must be an

keithsauer507 · ‎08-12-2017

Hi, I found bug CSCum86749 but I'm not sure it applies to async os 9.1.2-022 on our S170 IronPort appliance. I posted in the bug posts area here: https://supportforums.cisco.com/discussion/13352466/cscum86749-some-https-sites-say-untrusted-certificate-warning-san-bruno but just incase this is a configuration issue I will repost here.

We turned on https filtering via wccp (finally) to a small group of users for a test.

We have our internal domain CA cert generated and loaded on the IronPort S170.

For the most part, things work perfectly. The certificates are trusted on websites and it always shows our root cert at the top.

However there are a few websites that IE gives a Certificate error. One for example is www.ncua.gov.

If you view the Certification Path in IE it shows
Untrusted Certificate Warning

www.ncua.gov

If I click View Certificate on Untrusted Certificate Warning, it shows this information:

CN = Untrusted Certificate Warning
L = San Bruno
S = California
O = Cisco IronPort Systems, Inc.
C = US.

Any idea why I am getting this on some sites? I go to the same sites on another machine that does not have https wccp redirected to the IronPort and I do not get the same problem, so I do not see it as an issue with the website.

Does it have to do with bug CSCum86749? We are on 9.1.2-022 for Web.

Thank you for your assistance as we try to get people off of facebook and other sites that now default to https communication

Ken Stieers · ‎08-12-2017

9.x and before had issues with getting the intermediate cert chain.

You have 2 options:

get to 10.x

Or

Go to the website with IE, not behind the WSA, and click on the lock in the address bar. Save the intermediate and root cert (usually not needed, but just in case)...

Now on the WSA go to Network/certificates/manage trusted certificates. Import the intermediate and root cert. They will show up in a grid, with a label if they're already on the WSA(probably the root). You can delete the ones already on the wsa.... submit/commit and then test

I've got abmout 20 that I've done this for...

(No I didn't read the bug before answering. Yes it's that bug)

keithsauer507 · ‎08-14-2017

Thanks Ken,

I think I will update to 10 and see if it fixes it. Something happened recently where I cant log into either the WSA or ESA with Google chrome anymore. I click the blue Login button and nothing happens. Works fine in Firefox.

Maybe Async OS 10.1.1 build 235 will help that as well.

Ken Stieers · ‎08-14-2017

Nope. That won't fix it

Chrome made a change to how headers are handled... there are a couple of discussions around. I'll send you links when I get to a computer...

Ken Stieers · ‎08-14-2017

Discussion and a workaround is here:

https://supportforums.cisco.com/discussion/13343031/chrome-60-wont-login-esa-web-ui

keithsauer507 · ‎08-14-2017

Ok I upgraded to 10.1.1 build 235. It took about 3 hours to complete from download until back up and processing traffic.

Its an S170 hardware appliance. It never was fast in the web gui, and still isn't... but its manageable with patience. CPU: 29.1%, RAM 79.7%, Reporting/Logging Disk: 63.8%.

It fixed many of the certificate errors, but not all. On one site through the WSA I still get an Untrusted certificate error. On my other machine that does not have https going through the WSA, there is no cert error, and the certificate line of trust is:

Entrust (2048)
Entrust Certification Authority - L1K
tcva.fms.treas.gov

Even in IE I'm not sure how to save this certificate off. There is a "View Certificate" button but no save certificate. Inside the certificate details, the buttons Edit Properties and Copy to File are greyed out.

I can download root certificates from entrust.com but I'm not sure that will do it.

Regarding the Chrome login issue, it seems that they can't leave things be with Chrome. It's why I keep Firefox ESR around when Google wants to go a little too out there on the "bleeding edge". Thank you for the link, I'll take a look at it when I get some time.

Ken Stieers · ‎08-14-2017

You have to start it using "Run as admin" (that fixed it for me on Win 10)

keithsauer507 · ‎08-14-2017

Ok thank you! I was able to get two certs saved. I wasn't sure which format but I picked Base 64. I uploaded them and now there are 3 custom certs (our Internal CA, Entrust (2048) and Entrust Certification Authority - L1K.

System says:

365 certificates in Cisco trusted root certificate list
3 custom certificates added to trusted root certificate list

There are Entrust ones in the list of 365, but not the L1K one.

I saved and committed the changes, however I still get the cert error on my test machine on this particular website.

Were you saving them as base 64, or DER? The upload took the base 64 and it seems the certificates are recognized properly. I might have to open a case with TAC.

I'm not sure why most sites work fine but then who knows what other sites will give false errors. I may just have to surf the internet all day to find out what works and what doesn't.

Ken Stieers · ‎08-14-2017

I'd try kicking the proxy... or anything that causes a proxy restart (change the WCCP log level, etc...)

I've seen it not pick up a cert until the proxy restarts

keithsauer507 · ‎08-14-2017

Nope, I have made changes that said it requires proxy restart (like log level) but it still shows an error.

I even restarted the WSA appliance and it still errors out.

I have a yearly WSA healthcheck this Wednesday at 2 PM. Not sure if I want to wait until then or open up a ticket with TAC sooner.

The site is categorized as Government and Law and for decryption policy it is set to Monitor.

keithsauer507 · ‎08-14-2017

You know what, it must be an issue with my Win 7 VM. I tried it with a Windows 2008 R2 Server and it works fine.

wccp https redirect. Most sites are trusted, but some become untrusted