SSL Certification Errors

SSL Certification Errors

Issues with their Root Cause

  1. When the SSL certificate is imported into the Chrome browser and still shows Your connection is not secured for HTTPS sites.
->Policies in the HTTPS Inspection subsection may not be configured correctly.
  1. While the successful configuration of HTTPS Inspection, accessing youtube.com shows an error but all other HTTPS sites work fine.
 ->In the HTTPS inspection section, if the Global subsection is not set to Enabled as TRUE then this problem may arise.
  1. While the SafeSquid certificate is installed inside the browser however HTTPS sites show the error Secured connection fail.
->Either passphrases were not matched or Password encryption failed due to inappropriate input being given.
  1. SSL certificate downloaded with size 0 bytes.
->When the certificate is downloaded without encryption of the password then the certificate will be downloaded with 0 bytes.
  1. Displaying ERROR "SSL Connection to webmail.safesquid.net:2096 denied S_X509_DNS_MISMATCH: SSL Certificate has DNS errors."
->Remove HTTPS websites from SSL Certs/Cache if you get an error Secured connection fail when you access HTTPS websites or some of the HTTPS websites are working without error but some of the HTTPS websites are not working.

Troubleshooting

Case 1

Check whether the SSL certificate was properly imported inside the browser or not.

Case 2

Check SSL Certs/Cache if you face the issue mentioned below:
SafeSquid certificate imported inside the browser but still showing error Secured connection fails when you try to access HTTPS websites
Some HTTPS websites are working without error, but others are not working.
When you remove the old activation key and install a new activation key and then configure a new SSL certificate.
Native Logs
  1. 2018 03 17 10:15:38.084 [119] network: IP:192.168.0.10 fd:20 normal client disconnected after making 1 requests
  2. 2018 03 17 10:15:38.084 [119] warn: advice: [IP:192.168.0.10] process: transfer failed
  3. 2018 03 17 10:15:38.084 [119] error: ssl: ClientEncrypt: failed encryption :anonymous@192.168.0.10 for www.irctc.co.in:443
  4. 2018 03 17 10:15:38.083 [119] error: ssl: EncryptC:987 ssl_ctx:NULL
  5. 2018 03 17 10:15:38.083 [119] error: ssl: failed : reading key from /var/db/safesquid/ssl/certs/irctc.co.in/www.irctc.co.in
If you face the above issues you have to remove all the HTTPS websites that you access from path /var/db/safesquid/ssl
Run the below command and check for the file:
  1. root@sabproxy:/var/db/safesquid/ssl#
  2. root@sabproxy:/var/db/safesquid/ssl# ll
  3. total 24
  4. drwxrwxr--  6 ssquid root 4096 Jul 28 17:06 ./
  5. drwxrwxr--  7 ssquid root 4096 Jul 28 17:06 ../
  6. drwxrwxr--  2 ssquid root 4096 Aug 10 13:34 badcerts/
  7. drwxrwxr-- 29 ssquid root 4096 Sep  2 16:27 certs/
  8. drwxrwxr--  2 ssquid root 4096 Jul 28 17:06 goodcerts/
  9. drwxrwxr--  2 ssquid root 4096 Jul 28 17:06 serials/
  10. root@sabproxy:/var/db/safesquid/ssl# cd certs/
  11. root@sabproxy:/var/db/safesquid/ssl/certs#rm -rf *
Repeat the above step for good certs/  and badcerts/  and access those websites from the browser. 

Case 3

Displaying ERROR "SSL Connection to webmail.safesquid.net:2096 denied S_X509_DNS_MISMATCH: SSL Certificate has DNS errors."
When you access any website and face the error "S_X509_DNS_MISMATCH: SSL Certificate has DNS errors" via proxy even if you properly configured the SSL certificate inside the browser,
that means the certificate of that website is broken.
SafeSquid stores all those websites whose certificates are broken under this path /var/db/safesquid/ssl/badcerts/
You should find the domain of the website at the given path: /var/db/safesquid/ssl/badcerts/
Go to that domain name folder by command: cd domain-name 
You should find the FQDN of that website. (e.g. webmail.safesquid.net)
Go to that FQDN by command: vi FQDN (e.g. vi webmail.safesquid.net
Here you should find a mismatched domain name:
  1. root@dev:~# cd /var/db/safesquid/ssl/
  2. root@dev:/var/db/safesquid/ssl# ll
  3. total 52
  4. drwxrwxr--     2 ssquid  root  4096 Jul  4  2017    serials
  5. drwxrwxr--     2 ssquid  root  4096 Mar  9 16:30  goodcerts
  6. drwxrwxr-- 71 ssquid root  4096 Mar  9 16:45 badcerts
  7. drwxrwxr-- 1022 ssquid root 36864 Mar 12 12:16 certs
  8. root@dev:/var/db/safesquid/ssl# cd badcerts/
  9. root@dev:/var/db/safesquid/ssl/badcerts# ll
  10. total 276
  11. drwxrwxr--    2 ssquid root 4096     Mar  8 12:07 1rx.io
  12. drwxrwxr--    2 ssquid root 4096     Mar  8 12:32 ravenad.com
  13. drwxrwxr--    2 ssquid root 4096     Mar  8 15:36 microsoft.com
  14. drwxrwxr--    2 ssquid root 4096     Mar  8 16:04 indiatimes.com
  15. drwxrwxr--    2 ssquid root 4096     Mar  8 19:08 quoracdn.net
  16. drwxrwxr--    2 ssquid root 4096     Mar  9 15:25 iis.net
  17. drwxrwxr-- 2 ssquid root 4096     Mar  9 16:27 safesquid.net
  18. root@dev:/var/db/safesquid/ssl/badcerts# cd safesquid.net/
  19. root@dev:/var/db/safesquid/ssl/badcerts/safesquid.net# ll
  20. total 8
  21. -rw-rw-r-- 1 ssquid root 5904  Mar  9 15:43 webmail.safesquid.net
  22. root@dev:/var/db/safesquid/ssl/badcerts/safesquid.net# vi webmail.safesquid.net

  1. ---
  2. S_X509_DNS_MISMATCH: SSL Certificate has DNS errors.
  3. ---
  4. Certificate:
  5.    Data:
  6.        Version: 3 (0x2)
  7.        Serial Number:
  8.            f8:bd:5e:60:3d:26:db:5d:1a:c0:6a:05:92:ee:c7:81
  9.    Signature Algorithm: sha256WithRSAEncryption
  10.        Issuer: C=US, ST=TX, L=Houston, O=cPanel, Inc., CN=cPanel, Inc. Certification Authority
  11.        Validity
  12.            Not Before: Jul 23 00:00:00 2017 GMT
  13.            Not After: Jul 23 23:59:59 2018 GMT
  14.        Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=alpha.surebrowse.net
  15.        Subject Public Key Info:
  16.            Public Key Algorithm: rsaEncryption
  17.                Public-Key: (2048 bit)
To ALLOW Block domain mismatch errors of HTTPS websites you have to create a policy.
Creating a new policy in request types under custom settings section
Creating a policy by adding all the required values
Creating a new policy in Access profiles section
adding the required values
Clicking on Inspection policies in HTTPS inspection under Real time content security section
Creating a new policy
moving up the created policy just above the last policy
saving configuration globally



    • Related Articles

    • SSL certificate downloaded with zero size OR unable to download SSL certificate

      Issues SSL certificate downloaded with zero size Unable to download SSL certificate Note: If you generate new activation key from Self-Service Portal and activate SafeSquid using same activation key. And directly download SSL certificate from ...

    • Unblock the blocked website

      Overview Some of the websites are blocked due to the entries created in the SafeSquid configuration. We don't know which security filter is the reason for blocking. We need to identify the filter and based on that create the new entry to allow the ...

    • Certificate manageability

      Overview The SafeSquid Self-Service Portal enables you to manage Trusted Root CA across all your SafeSquid Installations. You can Generate Self Signed Certificate, or upload your existing Enterprise CA. Read More about SSL certificates from the ...

    • Standard Operating Procedure (SOP) for Troubleshooting Issues in your SafeSquid proxy server

      Purpose To provide a consistent and effective approach to troubleshooting network connectivity and web server issues using key commands. Scope This SOP applies to troubleshooting sessions involving DNS resolution, port connectivity, web server ...

    • Troubleshooting issues during installation of SafeSquid

      A comprehensive guide for troubleshooting common issues encountered during the installation of SafeSquid. It is designed to help users navigate through potential problems and find effective solutions. Before Installation Common issues in this stage ...