Support Center > Search Results > SecureKnowledge Details
HTTPS Bypass (with Site Category) not working for Servers with Self-Signed Certificate
Symptoms
  • Internal Web or Application server (with self-signed certificate) accessed via HTTPS is not working with specific HTTPS bypass rule where a Site Category has been defined on the bypass rule.
  • Packet captures between client and server show SSL handshake failure.
  • Debug of WSTLSD daemon as per sk105559 shows repeated errors "Certificate Chain is not signed by a Trusted CA".
Cause

To match HTTPS bypass against a URL or category, the system needs to extract it from encrypted data. This is why the first connection is Inspected.

If there is nothing in Site Category, then traffic can be matched on SYN packet, or the connection to the site destination object, without doing Inspection. This is normal behavior.

When a Site Category is defined, it forces the connection to be Decrypted because the system must see the URL in order to categorize it, or to decide if it matches a custom application.

You can not use a Site Category for an internal website or server that has no valid certificate, or that is signed by an internal certificate authority.


Solution
Note: To view this solution you need to Sign In .