Eprs_Admin
asked on
strange cert errors for some users
Hi Experts,
I have a very strange problem with https sites.
In one department we have 10 persons. They connect all over the same firewall policy to the internet.
But two of them cannot connect to some sites like -> www.orf.at
Other https sites work.
On the policy I have disabled all UTM features, no webfilter is active.
The users geht this error in each browser : DLG_FLAGS_INVALID_CA
Please can you help me out ?
So far this problem is just on WIN10 machines.
I have a very strange problem with https sites.
In one department we have 10 persons. They connect all over the same firewall policy to the internet.
But two of them cannot connect to some sites like -> www.orf.at
Other https sites work.
On the policy I have disabled all UTM features, no webfilter is active.
The users geht this error in each browser : DLG_FLAGS_INVALID_CA
Please can you help me out ?
So far this problem is just on WIN10 machines.
ASKER
we use CHROME , IE and EDGE.
Always the same problem.
Always the same problem.
ASKER
Yes we have cleared cache, cookies, history and so on.
It looks like the CA used on the remote site is not in the trusted store on the affected PC's.
(INVALID_CA)..
This is the CA from the Site (orf.at):
Common Name (CN) Entrust Certification Authority - L1K
Organization (O) Entrust, Inc.
Organizational Unit (OU) See www.entrust.net/legal-terms
Maybe some updates to the CA certificates are needed? You can verify the chain by clicking the pad-lock, and the view the certificate details. (Chrom(uim/e).)
Other reasons for distrusting CA's can be a skewed clock (is the time on this PC synchronised?),
ARE you actually going to the right site?, no malware that reroutes traffic?
Or a host file that points to the wrong site? (verify nslookups on both systems and compare to working systems) and compare to the IP address in a ping.
(INVALID_CA)..
This is the CA from the Site (orf.at):
Common Name (CN) Entrust Certification Authority - L1K
Organization (O) Entrust, Inc.
Organizational Unit (OU) See www.entrust.net/legal-terms
Maybe some updates to the CA certificates are needed? You can verify the chain by clicking the pad-lock, and the view the certificate details. (Chrom(uim/e).)
Other reasons for distrusting CA's can be a skewed clock (is the time on this PC synchronised?),
ARE you actually going to the right site?, no malware that reroutes traffic?
Or a host file that points to the wrong site? (verify nslookups on both systems and compare to working systems) and compare to the IP address in a ping.
Does that happen for all users on those PCs? Create a test user and try in his profile.
ASKER
the problem exists with each profile on the same PC.
ASKER
Hey NOCI,
I have found this article about it:
http://woshub.com/updating-trusted-root-certificates-in-windows-10/
Can you confirm this, when WINDOWS-UPDATES are disabled, the root certificates are not updated ?
I have found this article about it:
http://woshub.com/updating-trusted-root-certificates-in-windows-10/
Can you confirm this, when WINDOWS-UPDATES are disabled, the root certificates are not updated ?
ASKER
is it possible to check somewhere when updates of certificates are updated ? maybe eventlog ?
That could very well be the reason. No windows updates, no cert updates, if I remember correctly.
You can use the certutil.exe to drop certs to a folder and compare with what your certificate stores hold:
Certutil -syncWithWU c:\certs\
You can use the certutil.exe to drop certs to a folder and compare with what your certificate stores hold:
Certutil -syncWithWU c:\certs\
ASKER
Hey MCKNIFE,
thanks for the info.
I already did this certutil command.
And I can see many differences between the affected clients and working clients.
thanks for the info.
I already did this certutil command.
And I can see many differences between the affected clients and working clients.
Try to import all these certs and see what happens. Of course you can also try to import only the one that your orf.at site uses, which should be the Entrust one.
No updates is no updates... so that include certificate updates.
To verify you can allways check the so called fingerprints of certificates.
and view the fields inside like Subject, SAN, issuer, version of the certificate etc. etc. (You may need a tool to present the binary form in a readable format, but the browser will do that for a website, openssl tools will do that on any platform, windows should have certutil.
To verify you can allways check the so called fingerprints of certificates.
and view the fields inside like Subject, SAN, issuer, version of the certificate etc. etc. (You may need a tool to present the binary form in a readable format, but the browser will do that for a website, openssl tools will do that on any platform, windows should have certutil.
ASKER
ok,
thanks a lot.
I think we have found the problem.
Now I have just one question, how to check and see if there was a certificate update ?
But I will open a new case for it.
thanks a lot.
I think we have found the problem.
Now I have just one question, how to check and see if there was a certificate update ?
But I will open a new case for it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks a lot.
So it worked?
You identified the certificates you needed or did you copy all, or...?
You identified the certificates you needed or did you copy all, or...?
what browser you are using? did you try others?