Pxy Peer certificate preverify failed (err 20 and err 21) - How do I fix this?
Someone on the network is trying to connect to www.matrixgames.com. We are okay with this one, but we are getting these log messages on the Firebox.
2019-09-13 12:45:29 pxy Peer certificate preverify failed (err 20 : unable to get local issuer certificate) for [/jurisdictionC=GB/businessCategory=Private Organization/serialNumber=07254380/C=GB/ST=Surrey/L=Epsom/O=Matrix Games Limited/CN=www.matrixgames.com] (cert 0x10228218, store 0x101dce00)
2019-09-13 12:45:29 pxy Peer certificate preverify failed (err 21 : unable to verify the first certificate) for [/jurisdictionC=GB/businessCategory=Private Organization/serialNumber=07254380/C=GB/ST=Surrey/L=Epsom/O=Matrix Games Limited/CN=www.matrixgames.com] (cert 0x10228218, store 0x101dce00)
Any thoughts on how to fix this?
Adrian from Australia
Best Answers
-
I see the same.
Add an Allow entry on your HTTPS proxy for thisI see this related to the cert issue:
Issued to:
CN = www.matrixgames.com
Issued by:
Fireware HTTPS Proxy: Unrecognized CertificateI'm running XTM V12.5.1
5 -
Ralph
WatchGuard Representative
Hello all,
These errors always indicate the proxy was unable to pre-validate the chain using certificates presented by the server and its own root CA bundle. Kind of like a browser would.
The server is misconfigured. It is not sending the intermediate certificate in its response.1 Sent by server www.matrixgames.com
2 Extra download Go Daddy Secure Certificate Authority - G2
3 In trust store Go Daddy Root Certificate Authority - G2 Self-signed2 is the responsibility of the server. Both, Firefox and Chrome, have 2 cert in their bundles.
To mitigate, you can append the intermediate certificate to Firebox's CA bundle. Import it as a General Use certificate via FSM / View / Certificates / Import Certificate. Link to the certificate from GoDaddy's certificate repository: https://ssl-ccp.godaddy.com/repository/gdig2.crt.pem
I'll recommend that we add it to the next CA bundle update.
5 -
@Ralph said:
Hello all,These errors always indicate the proxy was unable to pre-validate the chain using certificates presented by the server and its own root CA bundle. Kind of like a browser would.
The server is misconfigured. It is not sending the intermediate certificate in its response.1 Sent by server www.matrixgames.com
2 Extra download Go Daddy Secure Certificate Authority - G2
3 In trust store Go Daddy Root Certificate Authority - G2 Self-signed2 is the responsibility of the server. Both, Firefox and Chrome, have 2 cert in their bundles.
To mitigate, you can append the intermediate certificate to Firebox's CA bundle. Import it as a General Use certificate via FSM / View / Certificates / Import Certificate. Link to the certificate from GoDaddy's certificate repository: https://ssl-ccp.godaddy.com/repository/gdig2.crt.pem
I'll recommend that we add it to the next CA bundle update.
Thank you Ralph. That worked perfectly..
Adrian from Australia
0
Answers
Thanks Bruce..
Adrian from Australia
Hmmm.. Did not work for me.. I need to go out on a job now, but I will have another look when I return...
Adrian from Australia
Using Chrome, I can get to that site after bypassing the cert warnings. I am running 12.5.1 as well with HTTPS/DPI. The address bar shows Not Secure.
Gregg Hill
I get that too, but it's not what you normally have to do when you exempt a site from inspection.. I will do some more poking around tomorrow.. Off to lunch soon..
Adrian from Australia
Yum, lunch
Breakfast Creek Hotel too..
Adrian from Australia
Missed it when I was in Brisbane - but I was in a camper van at that time - roughing it. No fancy places for the wife and me!
Cooking on the barbeeeee at the caravan sites.
They have a coffee shop there for Gregg too.. No Starbucks - not big down here.. Their bears were, but not the coffee..
Adrian from Australia
Unfortunately, I'll never make it down there to have a cup with you, Adrian. Well, at least not by air. If I win the lottery, maybe we'll take a cruise there. That probably won't be any time soon...because I don't play the lottery. I'll always be with you in spirit, though!
Gregg Hill