Pxy Peer certificate preverify failed (err 20 and err 21) - How do I fix this?

Someone on the network is trying to connect to www.matrixgames.com. We are okay with this one, but we are getting these log messages on the Firebox.

2019-09-13 12:45:29 pxy Peer certificate preverify failed (err 20 : unable to get local issuer certificate) for [/jurisdictionC=GB/businessCategory=Private Organization/serialNumber=07254380/C=GB/ST=Surrey/L=Epsom/O=Matrix Games Limited/CN=www.matrixgames.com] (cert 0x10228218, store 0x101dce00)

2019-09-13 12:45:29 pxy Peer certificate preverify failed (err 21 : unable to verify the first certificate) for [/jurisdictionC=GB/businessCategory=Private Organization/serialNumber=07254380/C=GB/ST=Surrey/L=Epsom/O=Matrix Games Limited/CN=www.matrixgames.com] (cert 0x10228218, store 0x101dce00)

Any thoughts on how to fix this?

Adrian from Australia

Best Answers

  • Accepted Answer

    @Ralph said:
    Hello all,

    These errors always indicate the proxy was unable to pre-validate the chain using certificates presented by the server and its own root CA bundle. Kind of like a browser would.
    The server is misconfigured. It is not sending the intermediate certificate in its response.

    1 Sent by server www.matrixgames.com
    2 Extra download Go Daddy Secure Certificate Authority - G2
    3 In trust store Go Daddy Root Certificate Authority - G2 Self-signed

    2 is the responsibility of the server. Both, Firefox and Chrome, have 2 cert in their bundles.

    To mitigate, you can append the intermediate certificate to Firebox's CA bundle. Import it as a General Use certificate via FSM / View / Certificates / Import Certificate. Link to the certificate from GoDaddy's certificate repository: https://ssl-ccp.godaddy.com/repository/gdig2.crt.pem

    I'll recommend that we add it to the next CA bundle update.

    Thank you Ralph. That worked perfectly..

    Adrian from Australia

Answers

  • Thanks Bruce..

    Adrian from Australia

  • Hmmm.. Did not work for me.. I need to go out on a job now, but I will have another look when I return...

    Adrian from Australia

  • Using Chrome, I can get to that site after bypassing the cert warnings. I am running 12.5.1 as well with HTTPS/DPI. The address bar shows Not Secure.

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

  • I get that too, but it's not what you normally have to do when you exempt a site from inspection.. I will do some more poking around tomorrow.. Off to lunch soon..

    Adrian from Australia

  • Yum, lunch

  • Breakfast Creek Hotel too.. :)

    Adrian from Australia

  • Missed it when I was in Brisbane - but I was in a camper van at that time - roughing it. No fancy places for the wife and me!
    Cooking on the barbeeeee at the caravan sites.

  • They have a coffee shop there for Gregg too.. No Starbucks - not big down here.. Their bears were, but not the coffee.. :D

    Adrian from Australia

  • Unfortunately, I'll never make it down there to have a cup with you, Adrian. Well, at least not by air. If I win the lottery, maybe we'll take a cruise there. That probably won't be any time soon...because I don't play the lottery. I'll always be with you in spirit, though!

    Gregg Hill

    Firebox T15/T35-W
    Fireware 12.5.1 build 601804
    WSM 12.5.1 build 601717
    ISP = Spectrum Cable 100 x 10 service
    Management computers: Win 8.1 Pro 64-bit, Win 10 Pro 64-bit, Server 2012 R2

Sign In to comment.