unknown CA for kinesis.us-west-2.amazonaws.com

M370 running 12.7.1 Allow PFS is turned on.

I'm seeing the following SSL errors in my logs:

2021-10-05 09:35:36 Allow x.x.x.x https/tcp 50585 443 Internal VLAN Outside Connection ProxyInspect: HTTPS domain name match (InetUser.HTTPS-proxy.DeepPacket.Out-00) InetUser.HTTPS.DeepPacket.ProxyAction proc_id="https-proxy" rc="592" msg_id="2CFF-0003" proxy_act="InetUser.HTTPS.DeepPacket.ProxyAction" rule_name="Default" sni="kinesis.us-west-2.amazonaws.com" cn="" ipaddress="" src_user="user@DOMAIN.COM" geo_dst="USA" Traffic

2021-10-05 09:35:36 pxy 0x5b228a0-60146986 642: x.x.x.x:50585 -> [A t] {B}: Accept SSL Error [ret -1 | SSL err 1 | Details: ssl3_read_bytes/tlsv1 alert unknown ca] Domain: kinesis.us-west-2.amazonaws.com PFS: ALLOWED | ALLOWED Debug

2021-10-05 09:35:36 https-proxy 0x5b228a0-60146986 642: x.x.x.x:50585 -> [A t] {B} | 653: z.z.z.z:50585 -> [B t] {X}[]: Handler: Connection closing on SSL failure (Domain: kinesis.us-west-2.amazonaws.com) Debug

I'm surprised that it's an unknown CA for Amazon. Is there anything I can do to allow this through? I did a check on ssllabs.com and the chain checks out OK.


  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    If for some reason this cert isn't included in the Firewall's cert bundle, you can install it by using FSM View -> Certificates, and import.
    -First, try clicking the button to update trusted CAs for proxies.
    -If that doesn't get it in the firewall, you can import it by clicking import certificate. Choose "General Use" when prompted.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.