Keep getting Peer certificate preverify failed (err 20 : unable to get local issuer certificate)

I know there was just a discussion on this but maybe someone can verify that it's an issue. It happens with
https://www.firstservice.com/
https://www.viningsparks.com/

FWStatus, Peer certificate preverify failed (err 21 : unable to verify the first certificate) for [/C:US/ST:Tennessee/L:Memphis/O:Vining Sparks IBG LP/OU:IT/CN:*.viningsparks.com] (cert 0x141f9b0, store 0x1d6ed20), pri=3, proc_id=pxy, msg_id=

Comments

  • I see the same.

    For the 1st site, I see these in my logs:
    err 20 : unable to get local issuer certificate for [/C=CA/postalCode=M5S 2B4/ST=ON/L=Toronto/street=Suite 4000/street=1140 Bay St/O=FirstService Corporation/OU=IT/OU=Provided by Register.com/OU=Register.com PremiumSSL Wildcard/CN=*.firstservice.com]
    err 21 : unable to verify the first certificate

  • RalphRalph WatchGuard Representative

    Hello JellyKid,

    Same issue as in this thread.
    https://community.watchguard.com/watchguard-community/discussion/comment/1481#Comment_1481

    The issue is server side. You can fix it FIrebox side by importing missing intermediate certificates:
    -For https://www.firstservice.com, import this cert
    -For https://www.viningsparks.com, import this cert

  • I guess I don't understand why Chrome/Firefox and Windows all have the certs in their store but Watchguard doesn't. Why doesn't WG match what's in Windows certificate store? You can say it's server side but we are getting this issue more frequently. Am I going to have to start importing intermediate certs regularly?

  • "I guess I don't understand why Chrome/Firefox and Windows all have the certs in their store but Watchguard doesn't."

    The problem is in part that the sites don't have the certs they need, according to SSL Labs' tests. Combine that with not having them in the computer store, and you get the problem. Neither cert needed is in my computer cert store, nor Chrome or IE that pull from the store.

    https://www.ssllabs.com/ssltest/analyze.html?d=www.firstservice.com
    This site is missing the COMODO RSA Organization Validation Secure Server CA cert, and it's not in my Windows 10 Pro computer store either.

    https://www.ssllabs.com/ssltest/analyze.html?d=www.viningsparks.com
    This site is missing the Thawte RSA CA 2018 cert, and it's not in my Windows 10 Pro computer store either.

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • RalphRalph WatchGuard Representative

    Hello JellyKid,

    "... Why doesn't WG match what's in Windows certificate store?...." Just like other vendors, WatchGuard utilizes a custom CA bundle. We try to keep the bundle as close as possible to bundles provided by mainstream browsers but there will be discrepancies from time to time.

    Intermediate certificates are the responsibility of the responding server and not the client.

    Browsers may cache previously seen intermediate certificates to fill in the chain. Firebox does not cache certificates.

    if you have users that access misconfigued web servers, then there's a higher chance of certificate validation failures to occur when Content Inspection is enabled.

  • edited November 8

    It's been happening almost everyday. I just added another site to the exceptions list https://www.basiconline.com/ as that's the fastest way to fix the issue, rather than track down a whole bunch of intermediate certs.

    When I see the SSL Server test for all of the sites listed, they all say Mozilla, Apple, Android, Java, and Windows trusted the sites.

    So you can point fingers at misconfigured web servers all day but if your box can't complete the chain and I have to import my own certificates or add HTTPS DPI exceptions constantly, then the issue is with Watchguard. There are a lot of misconfigured things on the internet but if we just took a dump everytime we ran by one nothing would work. I mean look at how many email servers have misconfigured SPF/DKIM/DMARC, it's like half the internet.

  • Inspect expects things to be correct.
    With Inspect, the HTTPS proxy expects to see real HTTP protocol being used, and the correct cert chain.

  • JellyKid,

    We still have the fact that the certs you mention are not on my computer, but the sites work in Chrome for me.

    A piece of the pie is missing here.

    Gregg

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • edited November 9

    Sorry Gregg, I ate that piece of pie :wink:

    Does your Chrome session really use HTTPS and thus your HTTPS proxy, or perhaps it is using QUIC?
    I block QUIC on my firewall, and I can't get to that site using Chrome.

Sign In to comment.