Auth portal cert error
My users receive certificate errors when they try to log in to the Firebox. I don't want them to ignore certificate errors. What can I do?
- Greg Gilbraith
Best Answer
-
Eugene_
WatchGuard Representative
Hello Greg,
If you are trying to log into the firebox with the WebUI and getting a certificate error, this is expected. The firebox comes with self signed certificates for that are used to load web pages that are hosted on the firebox (i.e. WebUI, Authentication Portal, SSL VPN download page, etc).
To avoid getting the certificate error message in web loading one of the web pages hosted by the firebox you can do a few things.
1. Import the Self-signed Root CA certificate onto your computer (and/or use GPO to distribute the certificate to all computers on the domain)
2. Replace the Web Server certificate on the firebox with a 3rd party one that is signed by a Certificate Authority (CA).For more information on certificates, how they work and how they relate to the firebox please see the following video tutorial.
http://www.watchguard.com/help/video-tutorials/Certs-Intro/index.htmlIf you have a Web Server certificate signed by a CA, you can import it using the steps in the following documentation:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/thirdparty_webserver_certificate_c.htmlRemember when importing a Web Server certificate to import the Root CA and Intermediate certificates first!
Cheers,
Eugene Torre | Support Engineer
5
Answers
Hello,
Even installing the certificate for each user I am getting the following error in the certificate "the security certificate presented by this website was issued for a different website's address", does anyone know the reason?
Regards.
Yes. I tried to install the certificate in "Trusted Root Certificates Authorities", but even after that import, the issue continues. The browser now shows the certificate as valid, but the message of "NET::ERR_CERT_COMMON_NAME_INVALID" continues.
Exactly the same here. I finally got round to doing as instructed to fix it, only for it to continue saying NET::ERR_CERT_COMMON_NAME_INVALID
Showing more information I get :
"This server could not prove that it is x.x.x.x; its security certificate does not specify Subject Alternative Names. "
What do you see if you use a web browser other than Chrome?
how did you resolve this issue?.. i am having the same issue right now
Have you imported the firewall Fireware web CA cert into your PC ?
yes i did still not redirecting to the authentication page
here are some details maybe it is a different issue
these are the policies that was set by the supplier..
i have this users in firebox-db just for testing..
i have 2 aliases also server farm and office vlan so that they will be exempted for the testing.. i made a the ip of my test device are separate from the office vlan and the server farm
the test pc shows that it is not able to connect to the internet.
thats good already but what i wanted is that i will automatically redirect the user to the authentication portal... at 4100.. but its not redirecting automatically
i checked the traffic management logs and this is the result
it seems that it is being denied at port 4102.. based from some forums that 4102 is the https redirect.. it seems not to work.. what could be wrong?..
Thank you by the way for the reply
To address the "NET::ERR_CERT_COMMON_NAME_INVALID" shown in a web browser - see this video:
Resolve Firebox Certificate Warnings
https://www.watchguard.com/help/video-tutorials/Certs-Resolve_Errors/index.html
I just tired creating my own self signed CA cert as per the video, and that does work for most web browsers, such as Chrome, Edge, Opera & Brave, but not for Firefox, as it has its own cert store.
Even having the Firefox config option of security.enterprise_roots.enabled set to True, it didn't work as desired. I had to import the cert into the Firefox Authorities cert store or "Accept the risk and continue" which adds the cert to "Servers" store.
Hi good day .. thank you for your help
i created the CA based on the video.. added it also as root cert.. still i am facing HSTS page..