Certificate Chain Incomplete - inbound proxy
M370 v12.9.4
We uses a number of inbound proxies to manage traffic into webservers, and all has been good using a wildcard cert. for years, over upgrades and cert replacements.
Last weekend, the CA decided to revoke our certificate due to the way they validated the domain no longer being deemed secure.
I got a new cert issued, using IIS to create the CSR and then exported a PFX, as I have done numerous times before. I imported along with the intermediate and all seemed to be OK. That is until some apps that connect in to our servers began to fail, one specifically with a cert error.
Performing an SSL check (Qualys) showed that the cert chain is incomplete and the intermediate cert is not being presented by the Watchguard proxy.
I have tested using HTTP filters, and IIS passes the SSL test (ie presents the intermediate). Similarly, my Netscaler is fine as you build the links manually. The apps work again using a filter, so the chain issue must be causing the problem.
I have tried importing the inter and leaf certs in every way I can think of but with the same result.
I have never had this issue before, and intend to upgrade the version to latest (12.104 U2 at time of writing), but this has to be out of hours.
Does anyone have any experience or ideas?
Thanks!
Comments
I'd check to see if the PFX file includes the intermediate certs -- (I believe the windows viewer will show you what's actually included.)
Loading the cert manually can help (via pem files), but you must load the certs in order for this to work.
If the issue persists, I'd suggest opening a support case so that our team can take a look and assist.
-James Carson
WatchGuard Customer Support
Yes, I've installed the certs every which way - PFX chain, inter then PFX, PEMs. I'll try the firmware update and raise a case if it isn't fixed.
Upgrade to v12.10.4 has fixed the problem, so definitely a bug in 12.9.4.