Blocked HTTPs error page

NethServer Version: 7
Module: webproxy web fillter

for blocked HTTPs the error page is Cert invalid error is this any way to change it blocked message as the blocked HTTP traffic

The certificate is valid but the browser can display it as invalid because it is redirected from another site.


There is no solution for it.

1 Like

What is about creating a dynamic (fake) certificate of the site which should be redirected? This method is done at the “old” transparent squid with ssl bump.

You will still have the same issue if the client doesn’t have the fake CA certificate installed.

Thus, the actual implementation has this issue only for certain sites (IIRC is something related with HSTS).


Hi Giacomo,
thanks for your answer

I think the client expects a certificate from the side you want to open, for example GMX. GMX certificate is at an online certificate server, so your browser knows this certificate. Does the browser get the difference between the fake and the original?

Why does it work with full decryption with ssl-bump?

i’m planning to make some tesst withtransparent proxy and https (and wccp2)… is this problem still present, right?
what if i use as redirect page an internal server with a valid cert (i need it to customize the error page)? if i understand correctly i wil always have the cert error right?


I can answer yes to both question, but I never encountered such problem after months of transparent ssl proxy with blocking filter :wink:

an enigmatic answer :thinking: :relaxed:
i have tried to setup the proxy and yes i’ve the cert error on HSTS sites (like facebook) but also on other https like (i must accept the cert and continue to see the block page) or others sites inserted in blacklist.
all is working as expected with http, so i don’t think it’s a problem with wccp2 which seems to work (at least at l2 then i will test with gre config)
from what I understand this problem should always be present,so the question is: why you don’t have such problem? :grin:

Probably because we have very little blocked sites, like advertising and maybe p2p.

Sometime I see the red page inside some sites where advertising banner are blocked.

Does NethServer use “Dynamic SSL Certificate Generation”?
In other distributions (using a squid), I saw that there are no certificate errors on the blocked pages.
For example, Sofos UTM Home.
Also another user of squid got the same error on block page.
Squid version 3.5.27 update helped.

continue post…
This error is reported here, resolved in squid versions 4.0.20, 3.5.26.
The NethServer uses an older version - 3.5.10.

No, current configuration doesn’t use it.

Yes, we stick with upstream releases.

I tried updating:

[root@proxy ~]# yum --enablerepo=nethserver-testing update squidLoaded plugins: changelog, fastestmirror, nethserver_events
Loading mirror speeds from cached hostfile

  • ce-base:
  • nethforge:
  • nethserver-base:
  • nethserver-updates:
    nethserver-testing/7/x86_64/signature | 836 B 00:00:00
    nethserver-testing/7/x86_64/signature | 2.9 kB 00:00:00 !!!
    No packages marked for update

But there are no other versions of squid in the test repository.
You write:

Does this mean that I can’t solve the problem (with certificate errors on the lock page), even if I update squid from other repositories?

You probably need to rebuild a newer version of squid or apply the patch to Red Hat package.
Maybe Red Hat will fix the squid packes, try to notify them opening a bug (

Ask me if you need help (I could be slow to answer during the holidays).

1 Like