Error "Network Error (ssl_server_cert_untrusted_issuer)" when trying to access some HTTPS websites

book

Article ID: 167695

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Users cannot access certain HTTPS websites when SSL interception is enabled. They receive the error “Network Error (ssl_server_cert_untrusted_issuer)".

Resolution

The ProxySG appliance has an internal trusted CA certificate list. If a web server has a certificate issued by a CA (Certificate Authority) that is unknown to the appliance, the appliance denies access by default.

To bypass this error, do one of the following:


Solution 1: Have the ProxySG appliance trust the CA

Use this solution only if you trust the CA. This solution also applies when users have an internal PKI server which issues certificates to internal websites. To add the CA to a trusted list, see Why is the browser showing error "Network Error (ssl_server_cert_untrusted_issuer)"?.
 
Solution 2: Disable SSL server certificate validation

Perform this solution using an SSL Access Layer in the Visual Policy Manager (VPM).  In the SSL Access Layer, disable the “Untrusted Issuer” while keeping the other validations intact.

  1. In the Management Console, launch the VPM.
  2. Create a new SSL Access Layer.
  3. Add a new Rule.
  4. Edit the Source to match your requirement (alternatively, select Any).
  5. Edit the Destination and add the server address, such as www.google.com.
  6. Right click the Action column and select Set > New > Set Server Certificate Validation.
  7. Select Ignore untrusted issuer.
  8. Select OK > OK to return to the VPM.
  9. Click Install Policy.

The equivalent policy in CPL is as follows:

<SSL>
url.domain=www.google.com server.certificate.validate(yes) server.certificate.validate.ignore(untrusted_issuer)

 

Solution 3: Tunnel the traffic

By forcing the traffic into a tunnel the proxy will not perform Server certificate verification.  This is done differently if depending if the deployment is Explicit or Transparent

Explicit:

  1. In the Management Console, launch the VPM.
  2. Create a new Web Access Layer
  3. Add a new Rule.
  4. Edit the Source to match your requirement (alternatively, select Any).
  5. Edit the Destination and add the server address, such as www.google.com.
  6. Right click the Action column and select Set > Disable Protocol Detection
  7. Select OK > OK to return to the VPM.
  8. Click Install Policy.

Transparent:

  1. Go to Configuration > Services > Proxy Services
  2. Create a new service
  3. Set Dource as the required source ip net
  4. Set Destination as the required destination net
  5. Set the Proxy type as TCP Tunnel