unknown CA for kinesis.us-west-2.amazonaws.com
M370 running 12.7.1 Allow PFS is turned on.
I'm seeing the following SSL errors in my logs:
2021-10-05 09:35:36 Allow x.x.x.x 34.223.45.83 https/tcp 50585 443 Internal VLAN Outside Connection ProxyInspect: HTTPS domain name match (InetUser.HTTPS-proxy.DeepPacket.Out-00) InetUser.HTTPS.DeepPacket.ProxyAction proc_id="https-proxy" rc="592" msg_id="2CFF-0003" proxy_act="InetUser.HTTPS.DeepPacket.ProxyAction" rule_name="Default" sni="kinesis.us-west-2.amazonaws.com" cn="" ipaddress="34.223.45.83" src_user="user@DOMAIN.COM" geo_dst="USA" Traffic
2021-10-05 09:35:36 pxy 0x5b228a0-60146986 642: x.x.x.x:50585 -> 34.223.45.83:443 [A t] {B}: Accept SSL Error [ret -1 | SSL err 1 | Details: ssl3_read_bytes/tlsv1 alert unknown ca] Domain: kinesis.us-west-2.amazonaws.com PFS: ALLOWED | ALLOWED Debug
2021-10-05 09:35:36 https-proxy 0x5b228a0-60146986 642: x.x.x.x:50585 -> 34.223.45.83:443 [A t] {B} | 653: z.z.z.z:50585 -> 34.223.45.83:443 [B t] {X}[]: Handler: Connection closing on SSL failure (Domain: kinesis.us-west-2.amazonaws.com) Debug
I'm surprised that it's an unknown CA for Amazon. Is there anything I can do to allow this through? I did a check on ssllabs.com and the chain checks out OK.
Comments
If for some reason this cert isn't included in the Firewall's cert bundle, you can install it by using FSM View -> Certificates, and import.
-First, try clicking the button to update trusted CAs for proxies.
-If that doesn't get it in the firewall, you can import it by clicking import certificate. Choose "General Use" when prompted.
-James Carson
WatchGuard Customer Support