Two on-premises Continuity247 (rebadged R1Soft which is Ubuntu-based) servers were on two different LANs which used a Cyberoam CR50iNG and a Sophos XG 85. Both worked absolutely worked fine.
The servers' networking was reconfigured and were moved to the same, new LAN which uses a Sophos XG 210. Ever since, both can access the Internet (ping, telnet, etc) but both fail to connect to the cloud-hosted Continuity247 system.
I confirmed that the Sophos XG 210 isn't blocking anything relevant in the firewall and isn't performing HTTPS interception.
Sophos' technical support advised contacting Continuity247's technical support.
Continuity247's technical support clarified that the Server Backup Manager does use certificates for authentication but that wouldn't have changed during the migration and advised contacting Sophos' technical support.
Executing command wget https://r1rm_prod.itsupport247.net reports the following:
--2017-06-22 10:17:11-- https://r1rm_prod.itsupport247.net/
Resolving r1rm_prod.itsupport247.net (r1rm_prod.itsupport247.net)... 173.193.238.197
Connecting to r1rm_prod.itsupport247.net (r1rm_prod.itsupport247.net)|173.193.238.197|:443... connected.
OpenSSL: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate
Unable to establish SSL connection.
Executing command openssl s_client -connect r1rm_prod.itsupport247.net:443 reports the following:
depth=0 C = US, ST = Texas, O = R1Soft, OU = ContinuumLLC, CN = r1rm.r1soft.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Texas, O = R1Soft, OU = ContinuumLLC, CN = r1rm.r1soft.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = US, ST = Texas, O = R1Soft, OU = ContinuumLLC, CN = r1rm.r1soft.com
verify error:num=21:unable to verify the first certificate
verify return:1
139940236781216:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate:s3_pkt.c:1262:SSL alert number 42
139940236781216:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=Texas/O=R1Soft/OU=ContinuumLLC/CN=r1rm.r1soft.com
i:/C=US/ST=Texas/L=Houston/O=R1Soft/OU=ContinuumLLC/CN=R1RMRootCA_GA
---
Server certificate
-----BEGIN CERTIFICATE-----
[redacted due to potential sensitivity]
-----END CERTIFICATE-----
subject=/C=US/ST=Texas/O=R1Soft/OU=ContinuumLLC/CN=r1rm.r1soft.com
issuer=/C=US/ST=Texas/L=Houston/O=R1Soft/OU=ContinuumLLC/CN=R1RMRootCA_GA
---
Acceptable client certificate CA names
/C=US/ST=Texas/L=Houston/O=R1Soft/OU=ContinuumLLC/CN=R1RMRootCA_GA
---
SSL handshake has read 1708 bytes and written 162 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: D4495614F968E3090AAA487E29B8779A155096502CD7158D24D96BEE5951E05C309C6568F6CF1FFC75489BC859BE8CF1
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1498205867
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
Executing another command (I didn't see what it was) reported the following:
Jun 23 09:39:06 localhost /opt/r1soft/r1ctl/bin/r1ctl[20025]: 2017/06/23 09:39:06.475657 vbox.go:143: Failed to get live config, using defaults: Get https://r1rm_prod.itsupport247.net:443/liveConfig/a56cc223-e414-4573-910a-5566a6528656: x509: certificate signed by unknown authority
Can anyone help further?
