12.6.2 certificate is revoked

Hi,

Okay, after upgrading a M370 cluster from 12.5.3U1 to 12.6.1 the webserver certificate i have installed suddenly got marked as revoked.

certd Certificate (subject=ou=Domain Control Validated,cn=*.kaufmann.dk) is revoked. msg_id="4001-0005"

Just to clarity - this certificate is NOT revoked and works fine. Works on all other fireboxes (not running 12.6.2) and IIS servers hosting kaufmann.dk. Ssllabs also test the certificate as valid.

So after messing around in policy manager in the certificate part, saving to firebox 3-4-5 times then suddenly the certificate starts to work.

There seems to be a issue with existing 3. party certificates when upgrading to 12.6.2. Don´t know how fireware suddenly as a 4. or 5. configuration save changes it´s mind and says the certificate is not revoked anymore.

/Robert

Comments

  • Yep, I see the same problem...
  • Michael_DittmannMichael_Dittmann WatchGuard Representative

    Hi Robert, Hi Kimmo,

    at first I couldn't reproduce this with a test certificate but then I was successful. It seems when the CRL distribution point URI and/or the Authority Access URI is not reachable the certificate is marked as revoked. So in your case Robert I believe it wasn't saving the configuration multiple times which fixed it just the time it took you during that time.
    I have opened a software defect to check on this.

    Best Regards,
    Michael Dittmann | WatchGuard Support

    Michael Dittmann
    WatchGuard Customer Support

  • Hi Michael,

    Then again i have a hard time believing Glabal Sign crl and/or Authority Access services not be reachable. I do no know what provider Kimmo is using, but 2 CA´s at the same time.

    Robert

  • @RVilhelmsen
    I had some DNS issues with my Azure lab….

  • Ich hatte das gleiche Problem mit dem Zertifikat mit Godaddy. Nach erneutem speichern hat er die Zertifikate akzeptiert.

  • edited August 2020

    Same issue on another cluster upgraded to 12.6.2 - still after 10 minuttes and my dns is working fine.
    This time i had to delete the certificate and CA certificate and reimport them for it to work again.

  • We also have the same problem after the upgrade via a m4600. Have tried deleting it and re-importing. no dice.

  • We have the same issue, please fix asap!

  • Hello
    same issue here
    but curiously, only one member from an active passive cluster had the issue

    reinstall the cert solved the problem

  • Just noticed this as well on 12.6.2 - we use Let's Encrypt certs on our WG which need to be updated on a regular basis. Turns out that the appliance didn't like the old cert being present in the inventory when importing the new one. Removing the old cert allowed the updated cert to be imported without issue.

  • Having the same Issue on A FireBoxV Version: 12.9.4 (Build 682007) After Ionos had some Database Maintanence

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Jan
    I would suggest creating a support case for this issue, so that we can look into it. The specific issue this thread is about was corrected back in 2020.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.