GFI Software

Welcome to the GFI Software community forum! For support please open a ticket from https://support.gfi.com.

Home » GFI User Forums » Kerio Control » Root CA let's encrypt and SSL inspection
Root CA let's encrypt and SSL inspection [message #150362] Tue, 12 October 2021 08:07 Go to next message
kimiko1086 is currently offline  kimiko1086
Messages: 9
Registered: March 2018
Good morning,
For about 2 weeks, many Kerio Control customers with ssl inspection have complained that many websites they use are detected as unsafe, I'll give you an example

https://www.mio-ip.it/

the problem seems to be created by the expired let's encrypt root certificate present in Kerio Control, I tried to upload the new certificate but the problem persists, do you have any ideas?

Thank you
dialog-warning.png  Re: Root CA let's encrypt and SSL inspection [message #150389 is a reply to message #150362] Tue, 19 October 2021 18:13 Go to previous messageGo to next message
Pavel Sevcik is currently offline  Pavel Sevcik
Messages: 3
Registered: September 2015
Hello,
having exactly the same problem. I suceed via SSH to upload Root CAs (By renaming the PEM to CRT, because the folder /opt/kerio/winroute/sslcert/builtin/ does accept only CET files in PEM format) = suceed to add certificates (both R3 and ISRG Root X1) ... but still there is some problem which seems to be blocking it working ... see DEBUG log below ... please let me know if you have any ideas ... when I manually checked the certificate from root.cz it match the SHA-1 8e0e08eb703dd7e05772a3decb671adacb5d48d6, but which the debug log below is saying it is not valid. For me this is not about mising CA certificate (as I do have them), but about a way how Kerio Control is verifing the SHA-1 in the certficiate chain? ... may be LetsEncrypt changed something? For other comercial SSL certificates this works fine (DigiCert and all others) ... having problem just with recently introduced new certificates from LetsEncrypt ...

[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Going to verify identity of peer's server root.cz.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Issuer '/C=US/O=Internet Security Research Group/CN=ISRG Root X1' found in between user/builtin certificates.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Peer's certificate chain is complete.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Checking certificate chain root.cz | R3 | ISRG Root X1
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Building own X509 store context ...
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Failed to verify SSL certificate: (19) self signed certificate in certificate chain
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Searching for alternative issuer
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Issuer '/C=US/O=Let's Encrypt/CN=R3' found in between user/builtin certificates.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Issuer '/C=US/O=Internet Security Research Group/CN=ISRG Root X1' found in between user/builtin certificates.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Peer's certificate chain is complete.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] No new issuer found, skipping...
[18/Oct/2021 20:35:23] {http_handler} DownloadCertCache: 2 certificates on disk.
[18/Oct/2021 20:35:23] {http_handler} DownloadCertCache: serialized. Cache size: 2
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] SSL certificate with 8e0e08eb703dd7e05772a3decb671adacb5d48d6 SHA-1 fingerprint from server is not valid.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Created certificate with CN and SubjAltNames, but without other requisites.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] SSL handshake state changed from ServerHandshakeStarted to ServerError
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Error in SSL communication (5).
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] SSL handshake with server root.cz failed.
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] SSL handshake state changed from ServerError to ClientHandshakeContinueError
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] SSL context swapped successfully
[18/Oct/2021 20:35:23] {http_handler} [ 77 ] Cipher selected by server: ECDHE-RSA-AES128-GCM-SHA256.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Going to verify identity of peer's server root.cz.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Issuer '/C=US/O=Internet Security Research Group/CN=ISRG Root X1' found in between user/builtin certificates.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Peer's certificate chain is complete.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Checking certificate chain root.cz | R3 | ISRG Root X1
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Building own X509 store context ...
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Failed to verify SSL certificate: (19) self signed certificate in certificate chain
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Searching for alternative issuer
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Issuer '/C=US/O=Let's Encrypt/CN=R3' found in between user/builtin certificates.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Issuer '/C=US/O=Internet Security Research Group/CN=ISRG Root X1' found in between user/builtin certificates.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Peer's certificate chain is complete.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] No new issuer found, skipping...
[18/Oct/2021 20:35:23] {http_handler} DownloadCertCache: 2 certificates on disk.
[18/Oct/2021 20:35:23] {http_handler} DownloadCertCache: serialized. Cache size: 2
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] SSL certificate with 8e0e08eb703dd7e05772a3decb671adacb5d48d6 SHA-1 fingerprint from server is not valid.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Created certificate with CN and SubjAltNames, but without other requisites.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] SSL handshake state changed from ServerHandshakeStarted to ServerError
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Error in SSL communication (5).
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] SSL handshake with server root.cz failed.
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] SSL handshake state changed from ServerError to ClientHandshakeContinueError
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] SSL context swapped successfully
[18/Oct/2021 20:35:23] {http_handler} [ 76 ] Cipher selected by server: ECDHE-RSA-AES128-GCM-SHA256.
Re: Root CA let's encrypt and SSL inspection [message #150828 is a reply to message #150389] Thu, 13 January 2022 12:51 Go to previous messageGo to next message
VERRIER is currently offline  VERRIER
Messages: 1
Registered: January 2022
Hi,

I have exactly the same problem.

Do you find a solution?

Best regards
Re: Root CA let's encrypt and SSL inspection [message #150833 is a reply to message #150828] Thu, 13 January 2022 13:39 Go to previous messageGo to next message
kimiko1086 is currently offline  kimiko1086
Messages: 9
Registered: March 2018
To resolve the issue, kindly update the CA certificates on the Kerio Control side by following the below steps:

Download the attached ca_bundle.tgz file (or from this link). You can extract the content and verify that's just PEM .crt files in the Mozilla folder and symbolic links in the hashed folder.
Access Kerio Control's Shell Using SSH and execute ​mount -o rw,remount / via SSH.
Then upload the ca_bundle.tgz file via SFTP (FTP over SSH) to the /tmp folder.
Execute the following lines by copy-pasting the following to an SSH terminal:

cd /tmp
rm /var/winroute/sslcert/hashed/*
rm /usr/share/ca-certificates/mozilla/*.crt
mount -o rw,remount /
tar -xvf ca_bundle.tgz
mv mozilla/*.crt /usr/share/ca-certificates/mozilla/
mv hashed/*.0 /var/winroute/sslcert/hashed/
rm -rf mozilla hashed
rm ca_bundle.tgz
/etc/boxinit.d/60winroute restart
Re: Root CA let's encrypt and SSL inspection [message #151376 is a reply to message #150833] Fri, 01 April 2022 14:41 Go to previous messageGo to next message
coolnicks is currently offline  coolnicks
Messages: 23
Registered: June 2005
kimiko1086,

Do you have a copy of the ca_bundle.tgz you used please?

Regards
Re: Root CA let's encrypt and SSL inspection [message #152055 is a reply to message #151376] Sat, 25 June 2022 10:32 Go to previous message
brauner is currently offline  brauner
Messages: 111
Registered: February 2010
Hello

Where can I find the ca_bundle.tgz file?

and another question: does Letscrypt certificates renew automaticaly?

-Roei
Previous Topic: Access to VPN client
Next Topic: System erros - automatic restarts
Goto Forum:
  


Current Time: Wed Nov 30 12:27:28 CET 2022

Total time taken to generate the page: 0.03154 seconds