New certificates, but "the name on the security certificate is invalid"

Hello! Our vendor recently generated new certificates for my comapny's site, which sits behind a Firebox. I used the internal portal to download the Fireware web CA certificate using these instructions and the I downloaded the Fireware HTTPS Proxy as well. I deployed both to the Trusted Root CA on my computers using Group Policy, as detailed here. That went fine, and I see the certificates in the computers certificates in my Windows 10 PCs. However, Outlook users are still reporting that Security Alert windows pop up during the use of Outlook. The warnings have "outlook.office365.com" or "autodiscover-s.microsoft.com" at the top and state that information exchanged is still encrypted, but that there is s problem with the certificate. There are three sections below that, the top two with green checkmarks and the bottom with a red X. The X is next to "the name on the security certificate is invalid or does not match the name of the site." Has anyone seen this before and fixed it? It looks like my vendor didn't generate the certificates right, but I don't know firewalls well enough to state that.

Comments

  • On a client HTTPS proxy action, there is a checkbox "Enable Predefined Content Inspection Exceptions"
    Do you have the the check box selected?

    The list includes *.office365.com and *.microsoft.com, which should prevent Inspect and thus the use of the firewall cert when accessing those sites.

  • @Bruce_Briggs said:
    On a client HTTPS proxy action, there is a checkbox "Enable Predefined Content Inspection Exceptions"
    Do you have the the check box selected?

    Thank you for replying! I found my HTTPS proxy policy and looked at the Proxy Action Configuration attached to it. The "Enable Predefined Content" is greyed out, though there is a check in the box all the same. The Inspection Status says that both domain name rules and webblocker are off. It seems to me inspection is off for that proxy action.

    Just to see, I added a test site to the domain name rule and set its action to inspect. Once I did that, the "Enable Predefined Content" lit up and I could look at the default sites. I didn't save any of that.

  • If you are not using Inspect on a HTTPS proxy, then I don't know why your users are seeing this.
    Hopefully someone else will suggest something.

  • Do you have some software on your PCs which is proxying HTTPS connections, such as a protection suite?

  • My antivirus also provides HTTPS decryption and scanning. I'm testing with some changes there. I think the "Fireware CA" certificate was red herring! I appreciate you replying.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    If your AV software is doing content inspection on HTTPS, it's usually best to pick one or the other (the firewall, or the AV suite.) Trying to content inspect both is problematic, because the AV software is going to get the firebox's HTTPS proxy authority cert for almost every connection. It'll likely not trust it (because it's selfsigned) or detect it as a man in the middle attack (which it technically is.)

    -James Carson
    WatchGuard Customer Support

Sign In to comment.