How to troubleshoot Skyhigh Web Gateway Certificate Revocation List update or load errors
Technical Articles ID:
KB83679
Last Modified: 2023-12-13 12:21:14 Etc/GMT
Environment
Skyhigh Web Gateway (SWG)
Summary
A Certificate Revocation List (CRL) refers to certificates managed by a Certification Authority (CA) that are revoked or no longer valid. The CRL indicates that these certificates must no longer be considered trusted. Different CAs host CRLs, and we don't have control over access to the CRL or CA.
CRL updates occur as part of the daily update process on SWG. They're the only updates that SWG downloads that aren't hosted by us.
Because of the many different web servers SWG must contact to obtain the CRL files, one or more servers can be down or have issues hosting the CRL file at any given time. When this issue occurs, alert level warning messages appear on your SWG Dashboard. These alerts aren’t serious and rarely require administrative interaction. If you want to determine why the CRL updates are failing, see the troubleshooting information in this article.
Problem
When a CRL update or load fails, the SWG Dashboard might display any of the following errors:
- An operating system error exception occurred with error message : Connection refused because the centralized updater tried to connect to host www.example-URL.domain (Origin: Updater, ID: 305, X times within the last X 'time')
This error indicates that SWG can't reach the host defined by the CA for the CRL. In the example error above, the host is www.example-URL.domain. This error also indicates that the host is down or that some network device, such as a firewall, is blocking connectivity to it.
- 1 of the recently updated CRLs for the certificate chain filter cannot be loaded (Origin: Certificate Chain Filter, ID: 1651)
This error indicates that SWG can connect to the server that hosts the CRL, but the server doesn't return a CRL file. For example, the request for the CRL returns only an .html file.
- Download of Certificate chain filter failed for node xxxxxxxx-xxxx-xxxx-xxxxxx (HOSTNAME)(Origin: Updater, ID: 1652)
This error is a general one that typically indicates that SWG can connect to the destination, but experiences problems after connecting. One example is that the server redirects the SWG request for the CRL, but the new path provided in the location header is malformed.
Solution
To troubleshoot CRL update or load failure errors, perform the following steps.
- Troubleshoot the error: "An operating system error exception occurred with error message : Connection refused because the centralized updater tried to connect to host www.example-URL.domain (Origin: Updater, ID: 305, X times within the last X 'time')"
- Troubleshoot the errors: "1 of the recently updated CRLs for the certificate chain filter cannot be loaded" and "Download of Certificate chain filter failed for node xxxxxxxx-xxxx-xxxx-xxxxxx (HOSTNAME)(Origin: Updater, ID: 1652)"
Troubleshoot the error: "An operating system error exception occurred with error message : Connection refused because the centralized updater tried to connect to host www.example-URL.domain (Origin: Updater, ID: 305, X times within the last X 'time')"
- Identify the CA whose CRL triggers the error.
In the SWG UI, go to Troubleshooting, Log files, mwg-errors, and find the mwg-coordinator.errors.log that matches the time frame of the warning in your Dashboard. An entry in the log corresponds to the time of the warning in your Dashboard. The entry includes the complete CRL URI that SWG tries to connect to. Example:
Failed to connect to host: 'http://crl.aol.com/AOLMSPKI/aolServerCert.crl' caught exception: 'COSErrException' with errorcode: '101', message:'errno: 101 - 'Network is unreachable
- Test the CRL URI.
Use the CRL URI found in step 1 and try to retrieve the file using these three methods:
NOTE: Test with both the web browser and SWG to check whether the problem stays consistent or occurs only when going through SWG.
- Request the URL in a web browser that isn't going through SWG.
- Request the URL in a web browser from outside of your network.
- To request the file, use the wget command from your SWG. Example:
wget http://crl.comodo.net/UTN-USERFIRST.crl
- Examine the results.
- If all three tests fail, the problem is with the server hosting the CRL. The server host is likely down. In such cases, use the following guidance:
- If you're using a local known CA list, you can manually remove the CRL URI from this CA. After the URI is removed, SWG no longer fetches it during its scheduled update.
- If you're using our maintained list, open a case with Technical Support and request that we update or remove the CRL in question. Provide a feedback file (Troubleshooting, Feedback) and the CRL URI. See the "Related Information" section of this article for contact details.
- If steps a and c fail, the problem likely lies within your network where a network device, such as a firewall, is blocking connectivity to the server hosting the CRL.
- If only step c fails, the problem likely lies within the network path upstream of the SWG.
Troubleshoot the errors: "1 of the recently updated CRLs for the certificate chain filter cannot be loaded" and "Download of Certificate chain filter failed for node xxxxxxxx-xxxx-xxxx-xxxxxx (HOSTNAME)(Origin: Updater, ID: 1652)"
- Identify the CA whose CRL triggers the error.
In the SWG UI, go to Troubleshooting, Log files, mwg-errors, and find the mwg-coordinator.errors.log that matches the time frame of the warning in your Dashboard. An entry in the log corresponds to the time of the warning in your Dashboard. The entry includes a reference to the CRL URI. Example:
Failed to download file: 'UTN-USERFirst-NetworkApplications.crl'.
- Search your known CA list (local or our maintained list) for the CRL URI.
- If you're using our maintained list, you can search the list at Policy, Lists, Subscribed Lists, Certificate Authority, Known CAs (McAfee Maintained). Use the filter field to search for the CRL URI found in step 1.
- If you're using a locally maintained list, you can search the list at: Policy, Lists, Custom Lists, Certificate Authority. Search for the CRL URI found in step 1.
- Test the CRL URI.
Use the CRL URI from the CA found in step 2 and try to retrieve the file using these two methods:
- Request the URL in your web browser.
- Use the wget command from your SWG and request the file. This method is preferred because your local browser might see different results than SWG. SWG is the entity trying to download the file. Example:
wget http://crl.comodo.net/UTN-USERFIRST.crl
- Examine the results.
If the CRL is available, the browser downloads a .crl file from the web server.
- A successful download of the .crl file indicates that there isn't a problem with the server hosting the .crl. If you can successfully download the CRL from your browser and SWG, but are still seeing the error in your Dashboard, perform these steps:
- Verify that there’s no other CRL that is triggering the warning. See step 1.
- Open a case with Technical Support and provide a feedback file (Troubleshooting, Feedback). See the "Related Information" section of this article for contact details.
- If you do not receive a .crl file, there’s a problem with the server hosting the file, or the location of the CRL URI has changed. In such cases, you might get redirected to another webpage or download an .html file instead. Also, SWG can't process the .crl file and reports the error.
If you are not able to download the CRL from your browser and SWG, follow these remediation steps:
- If you're using a local known CA list, you can manually remove the CRL URI from this CA. After the URI is removed, SWG no longer fetches it during its scheduled update.
- If you're using our maintained list, open a case with Technical Support and request that we update or remove the CRL in question. Provide a feedback file (Troubleshooting, Feedback) and the CRL URI. See the "Related Information" section of this article for contact details.
|