After firmware upgrade: NET::ERR_CERT_COMMON_NAME_INVALID

Hello,

after firmware upgrade, when we try to go to https://www.youtube.com/ ONLY we have the error NET::ERR_CERT_COMMON_NAME_INVALID.

Could you help me?

«1

All Replies

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @abonadonna
    Did you enable SSL Inspection function? You can have a try to update certificate package in SSL inspection function first.(SSL Inspection > Certificate Update)

  • Riccardo_Baima
    Riccardo_Baima Posts: 4  Freshman Member
    Second Anniversary
    I have the same problem. I've updated certificate package in SSL inspection, but not work
    
    
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @Riccardo_Baima
    What's the web URL that display the error log to you?
    Some of web page with higher security reason, it doesn't allow to replace as configured certificate.
    Then browser will display error message and the content is unable to load.(HSTS error)

    You can add URL into exclude list. Then web content could be display success. But Firewall is unable to inspect the content of the webpage.

  • Riccardo_Baima
    Riccardo_Baima Posts: 4  Freshman Member
    Second Anniversary
    Thanks for the reply. The website in question is https://youtube.com/ The following image is what I see. I tried your solution but it doesn't work. It is strange behavior of the firewall but I can find solutions.

  • abonadonna
    abonadonna Posts: 7
    Friend Collector
    I don't use SSL Inspection. Finally I solve the problem disabling IP Reputation.....I try to use white list but nothing...please give us a solution!
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    edited May 2022
    Hi @abonadonna @Riccardo_Baima
    When the issue happening, you can use nslookup to result the URL by cmd.
    C:\>nslookup youtube.com
    After resulting the IP address from DNS server. You can enter the IP address into field for check if the IP address exist in cyber threats IP list. 

    If the URL is trusted, you can add IP address into "Allow List" first.
    And then flush DNS cache on PC and Firewall first, and try to reconnect again.
    PC:
    C:\>ipconfig /flushdns
    Firewall:
    Router(config)# ip dns server cache-flush

    Almost cloud (Web)server are using dynamic IP address. The IP address may used by unsafe website, so it listed in cyber threats IP list. You may wait for next signature update, the IP address may remove from IP list in new version.
    Also, you can check the IP safety by 3rd party resource if it has reported as unsafe IP. (e.g. Virustotal
  • Riccardo_Baima
    Riccardo_Baima Posts: 4  Freshman Member
    Second Anniversary
    Thanks for the reply, but it still doesn't work. In my USG FELX 100 the indicated page does not have the "IP to test" but only "URL to test". I tried with https://youtube.com and it gives no errors.

    However, I have noticed a warning: at the moment you cannot visit the website www.youtube.com because it uses HSTS. Network failures and attacks are typically temporary, so this page may work later.

    As a last test I restarted Firewall
  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @Riccardo_Baima
    When the Web page redirecting to error page, you can go to Monitor > Log page to check if there is any related log entries. If still can't find the reason, you may download startup-config.conf and send it to me by private message for further check.
  • Riccardo_Baima
    Riccardo_Baima Posts: 4  Freshman Member
    Second Anniversary

    In updating what was written before, I noticed that the youtube web page refers to an certificate not valid. I attach the image.

  • Zyxel_Stanley
    Zyxel_Stanley Posts: 1,379  Zyxel Employee
    100 Answers 1000 Comments Friend Collector Seventh Anniversary
    Hi @Riccardo_Baima
    In default Web Content Filter and DNS Content Filter, the "Media Sharing" is enabled by default profiles.
    Once the HTTPS or DNS connection matched category, the CF service will redirect specific block web page to you. Of course the certificate will replaced too. 
    Due to the certificate doesn't match to the original URL, then browser will disconnect the session and display the error message(HSTS) to you.

    You can go to Monitor > Log page to check the event log. Once the website been blocked, then system will have block log. You can add URL into Trusted Web Sites(or allow list) to fulfill your network requirement

Security Highlight