Certificate problem when surfing certain websites.
37 views
Skip to first unread message
Francesco Caraco
Jan 13, 2025, 6:00:35 AMJan 13
to Diladele Web Safety
The following certificate is used for every website, which causes an error even though I have imported other root CA certificates and also a certificate for other websites. But interestingly, the standard certificate is always used. I have version 9.3 installed from the web proxy.
Output from Certificate.
Output from Certificate.
Allgemeiner Name (CN)
proxy.example.lan
Organisation (O)
Example Ltd.
Organisationseinheit (OU)
IT
Ausgestellt von
Allgemeiner Name (CN)
proxy.example.lan
Organisation (O)
Example Ltd.
Organisationseinheit (OU)
IT
Gültigkeitsdauer
Ausgestellt am
Sonntag, 27. März 2022 um 11:02:07
Gültig bis
Freitag, 26. März 2027 um 10:02:07
SHA-256-Fingerabdrücke
Zertifikat
df57ff1ee80fe9909459347ef47f602d1c78f89ea4baac3935f6370b38c79829
Öffentlicher Schlüssel
f873ec380c6d1983d18f25442e6b2721cbfc648da0338743c5ba3222a896b230
Was this possible to change in earlier versions or is it just a bug?
Was this possible to change in earlier versions or is it just a bug?
rafael....@diladele.com
Jan 13, 2025, 6:08:16 AMJan 13
to Diladele Web Safety
Hello, fc,
The certificate imported is stored in /opt/websafety/etc/ folder and upon import *from the Admin UI* the Squids cached storage for the imitated certificates are correctly re-initiailized.
What I would recommend is to:
- disable HTTPS decryption in Admin UI
- stop users from accessing proxy; this can do be easily done by just stopping squid by runnign "systemctl stop squid"; this will ensure that squid is *not* caching any imitated certificates in memory
- re upload the decryption certificate from Admin UI - this will re-initialize the certificate storage on disk completely erasing it
- close all browsers on the client - because sometimes open browser renders the certificate used and caches it visual representation
- enable HTTPS decryption in Admin UI
- click save and restart in Admin UI
From now on your proxy will definitely use the decryption certificate you have uploaded and NOT that default one.
Reproduce the error and it is still exists - please send me the screenshot of the certificate info to sup...@diladele.com
Best regards,
Rafael
P.S. May I ask if you are using our appliance or has build the machine yourself? Because in latter cases sometimes the squid.conf from the system is used and not the one which app needs.
Francesco Caraco
Jan 13, 2025, 6:48:23 AMJan 13
to Diladele Web Safety
Hello Rafael,
I think we misunderstood each other. I don't mean the certificate for the Admin UI. I'm talking about when you open websites like Google via the browser.
I have the VMWARE appliance running.
Best regards
Francesco
I think we misunderstood each other. I don't mean the certificate for the Admin UI. I'm talking about when you open websites like Google via the browser.
I have the VMWARE appliance running.
Best regards
Francesco
rafael....@diladele.com
Jan 13, 2025, 6:52:18 AMJan 13
to Diladele Web Safety
Hello Francesco,
No I specifically mentioned the steps required for HTTPs decryption certificate , not the Admin UI certificate.
Let me rephrase..
If you are using HTTPS decryption then upon generation of your own decryption certificate the squid proxy will use it for all connections (unless excluded) and for the error connections too.
if you are NOT using
HTTPS decryption then the uploaded decryption certificate will also be used for errors - this is explained in https://www.diladele.com/websafety/docs/faq/squid/https_decryption/still_decrypting_when_disabled/ (in short if HTTPS connection is made squid still decrypts all error connections - to show the error, sort of recursion).
Hope I understood you correctly.
Best regards,
Rafael
Reply all
Reply to author
Forward
0 new messages