Overview

While having HTTPS filtering decryption enabled, some website resources are being unreachable. The warning logs show the following errors:

  HTTPS: Certificate's CA has been rejected by client 192.168.x.x, server: domain.com

The local Kerio Control certificate was successfully imported to clients' workstations. This usually affects update servers for Windows, Linux Ubuntu, Bitdefender, Kaspersky Antivirus, etc.

Solution

Client and server are communicating with each other through an encrypted SSL connection. If the communication handshake request is returned with any SSL certificate error, the Kerio Control throws "HTTPS: Certificate's CA has been rejected by client <IP>, server: <URL>" error. Debug logs with HTTP/HTTPS option enabled will report the following:

  {http_handler} [ 1363 ] HTTPS INFO: Server's certificate has been rejected by HTTPS inspector. Client 192.168.x.x, <username>, server: domain.com

It is causing web servers failure to deliver updates or other necessary data (new plugins, database signatures, etc). In order to resolve such issues, you can whitelist the servers mentioned in warning logs.

1. In Kerio Control administration navigate to IP address groups -> select preconfigured HTTPS exclusions group.
2. Click Add and paste the server URL from the Warning log, e.g. plugins.nessus.org
   
   The common update URLs are:
   
   1. nimbus.bitdefender.net
   2. changelogs.ubuntu.com
   3. ds.kaspersky.com
   4. v10.events.data.microsoft.com
   5. settings-win.data.microsoft.com
3. Save the changes.
4. Verify HTTPS filtering settings: Exclude specified traffic from decryption set equal to HTTPS exclusions.
   
   
   

Testing

Reboot the client PC and verify the connection for updates is established successfully and no longer dropping.