Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

SMA stop working when using specific certificate in portal

When I select a certificate in virtual host for a portal, The SMA 410 stop working, just go in watchdog and reboot indefinitely. CLI doesn't even work. I have to start from scratch every time.

My certificate don't use CSR generated by my SMA but it still look good because I am able to use it in default setting. I base my configuration on the guide page https://www.sonicwall.com/support/knowledge-base/smb-ssl-vpn-can-i-use-multiple-certificates-for-multiple-portals-on-sra/170502484055060/

Same issu on my 500v.

I'm using a subdomain certificate format : xxxx.domain.com

Category: Secure Mobile Access Appliances
Reply
Tagged:

Answers

  • prestonpreston All-Knowing Sage ✭✭✭✭
    edited February 2021

    Hi @ jess_gagne, I've had this with my SMA if you check the CLi it will probably show HTTPD failed to start and then reboots you can see this the SMA500v console,

    eventually I found the reason was the certificate didn't contain the key even though the SMA accepted it,

    if you created via IIS try exporting via MMC and export with the key and all extended properties,

    also if you were using the version previous to 10.2.0.3-24sv there was bug to do with the certificates unbinding themselves from the portal after you saved the portal

  • I try 2 method :

    • Upload Certificate from a zip file with server.crt and server.key in.
    • Upload Certificate from .pfx file (contain certificate and private key)

    Both method give same issu :

    Certificate works if I enable it in System -> Certificate and when I check the certificate detail in my Web Browser, its using the good one.

    If I create portal with virtual host configured with interface any, everything ok.

    If I create portal with virtual host configured with X0 and IP 10.0.0.12/26, Appliance stop working.

    On my VM, I don't see boot process... but from my past test on SMA 410, it show httpd failed to start.


    The problem appear when I manually define IP and interface for the portal.

    I using NAT to redirect internet traffic to my SMA410 and 500v. So my SMA is not directly connecte in WAN.

  • prestonpreston All-Knowing Sage ✭✭✭✭
    are you trying to use the same cert for multiple portals? this is only an option for wildcard certs, if you set the default virtual office to use the self signed cert then use your cert for the custom portal does it still crash the appliance? I take it if you are using a virtual IP you are port fowarding to that and not the X0 IP, did you also import the CA's root cert in to the appliance before importing your cert? when I had the issue, I tested the certificate using the digicert tool and it told me it was missing the key for some reason, mine too worked fine on the virtual office portal but I had the same issue when applying to another portal, eventually I noticed something in the Console that mentioned the cert key, hence using the digicert tool, I had to renew mine then once I'd done that and re-imported it worked ok, it may be part of the chain is missing if you haven't imported the CA bundle, the only other thing my original cert was using eliptical curve encryption so when I renewed I just chose it's default settings. another test you could do is use the built in Let's encrypt certificate tool to generate a certificate and see if you have any issues with that, the only downside is you have to allow port 80 through to the appliance for it to work and autorenew
Sign In or Register to comment.