Keep getting Peer certificate preverify failed (err 20 : unable to get local issuer certificate)

I know there was just a discussion on this but maybe someone can verify that it's an issue. It happens with
https://www.firstservice.com/
https://www.viningsparks.com/

FWStatus, Peer certificate preverify failed (err 21 : unable to verify the first certificate) for [/C:US/ST:Tennessee/L:Memphis/O:Vining Sparks IBG LP/OU:IT/CN:*.viningsparks.com] (cert 0x141f9b0, store 0x1d6ed20), pri=3, proc_id=pxy, msg_id=

Comments

  • I see the same.

    For the 1st site, I see these in my logs:
    err 20 : unable to get local issuer certificate for [/C=CA/postalCode=M5S 2B4/ST=ON/L=Toronto/street=Suite 4000/street=1140 Bay St/O=FirstService Corporation/OU=IT/OU=Provided by Register.com/OU=Register.com PremiumSSL Wildcard/CN=*.firstservice.com]
    err 21 : unable to verify the first certificate

  • RalphRalph WatchGuard Representative

    Hello JellyKid,

    Same issue as in this thread.
    https://community.watchguard.com/watchguard-community/discussion/comment/1481#Comment_1481

    The issue is server side. You can fix it FIrebox side by importing missing intermediate certificates:
    -For https://www.firstservice.com, import this cert
    -For https://www.viningsparks.com, import this cert

  • I guess I don't understand why Chrome/Firefox and Windows all have the certs in their store but Watchguard doesn't. Why doesn't WG match what's in Windows certificate store? You can say it's server side but we are getting this issue more frequently. Am I going to have to start importing intermediate certs regularly?

  • "I guess I don't understand why Chrome/Firefox and Windows all have the certs in their store but Watchguard doesn't."

    The problem is in part that the sites don't have the certs they need, according to SSL Labs' tests. Combine that with not having them in the computer store, and you get the problem. Neither cert needed is in my computer cert store, nor Chrome or IE that pull from the store.

    https://www.ssllabs.com/ssltest/analyze.html?d=www.firstservice.com
    This site is missing the COMODO RSA Organization Validation Secure Server CA cert, and it's not in my Windows 10 Pro computer store either.

    https://www.ssllabs.com/ssltest/analyze.html?d=www.viningsparks.com
    This site is missing the Thawte RSA CA 2018 cert, and it's not in my Windows 10 Pro computer store either.

    Gregg Hill

  • RalphRalph WatchGuard Representative

    Hello JellyKid,

    "... Why doesn't WG match what's in Windows certificate store?...." Just like other vendors, WatchGuard utilizes a custom CA bundle. We try to keep the bundle as close as possible to bundles provided by mainstream browsers but there will be discrepancies from time to time.

    Intermediate certificates are the responsibility of the responding server and not the client.

    Browsers may cache previously seen intermediate certificates to fill in the chain. Firebox does not cache certificates.

    if you have users that access misconfigued web servers, then there's a higher chance of certificate validation failures to occur when Content Inspection is enabled.

  • edited November 2019

    It's been happening almost everyday. I just added another site to the exceptions list https://www.basiconline.com/ as that's the fastest way to fix the issue, rather than track down a whole bunch of intermediate certs.

    When I see the SSL Server test for all of the sites listed, they all say Mozilla, Apple, Android, Java, and Windows trusted the sites.

    So you can point fingers at misconfigured web servers all day but if your box can't complete the chain and I have to import my own certificates or add HTTPS DPI exceptions constantly, then the issue is with Watchguard. There are a lot of misconfigured things on the internet but if we just took a dump everytime we ran by one nothing would work. I mean look at how many email servers have misconfigured SPF/DKIM/DMARC, it's like half the internet.

  • Inspect expects things to be correct.
    With Inspect, the HTTPS proxy expects to see real HTTP protocol being used, and the correct cert chain.

  • JellyKid,

    We still have the fact that the certs you mention are not on my computer, but the sites work in Chrome for me.

    A piece of the pie is missing here.

    Gregg

    Gregg Hill

  • edited November 2019

    Sorry Gregg, I ate that piece of pie :wink:

    Does your Chrome session really use HTTPS and thus your HTTPS proxy, or perhaps it is using QUIC?
    I block QUIC on my firewall, and I can't get to that site using Chrome.

  • edited June 2020

    I had this issue too and have a support case with Watchguard. The offered advice didn't fix things. IE (just) manually importing CA and intermediate certificates.

    Reading through postings on my SSL certificates supplier I found that CA and Intermedia certificates can cause conflicts. When both new and old CA are present in your CA store. It is written in dutch, so use google translate when needed:
    https://www.sslcertificaten.nl/support/IIS_FAQ/IIS_-_Uitschakelen_conflicterend_Comodo_root_certificaat

    So BEFORE an old CA has expired, don't add the new CA. AFTER an old CA has expired, remove the old one from your CA store and add the new CA. Intermediates also, when needed.

    I now removed the expired CA's from my firebox which lead to the forementioned sites firstservice and viningsparks working fine, which immediately before removing the old expired CA's from the forebox wasn't the case.

    That said, we also use competing firewalls, which manage to update the CA certificates automatically, as also the checkbox "Enable automatic updates of trusted CA certificates " on fireboxes seem to be capable of, but in fact they don't. Even after hitting the button "UPDATE NOW".

    Happy to find a better solution for disabling inspection for websites with CA certificatie issues :-)

Sign In to comment.