Skip to main content

"515 Upstream Certificate Untrusted" error

tomalle
  • Updated
  • min read

Overview

 

The following error may be presented when visiting a HTTPS website via the Umbrella Secure Web Gateway.  This indicates that it is not possible to validate the websites' certificate.

515 Upstream Certificate Untrusted

515kba.png

 

 

 

More Information

 

Umbrella validates the digital certificate presented by websites to ensure the authenticity of the server, and to make sure the certificate is issued by a trusted source.

Certificate problems can occur for a number of reasons.  Usually when this error is shown the same website would be inaccessible (or present a warning/error page) when visited in a normal web browser without using the Umbrella SWG.  For security reasons the Umbrella Secure Web Gateway does not allow an end user to bypass a certificate error.

 

Possible Causes

 
  • Certificate not issued by a trusted root authority
    Umbrella maintain a list of root certification authorities (CAs) that are allowed to identify websites.  The certificate must be signed by one of these authorities.  Umbrella obtain the list of trusted authorities from a common source used in popular web browsers.  If you believe SWG does not yet trust a legitimate CA then please contact umbrella support.
  • Certificate hostname does not match target URL
    Certificate validation requires that the hostname(s) defined in the certificate match the intended URL that the user attempted to access (for example, the URL typed in the address bar).  Otherwise, the certificate is invalid.
  • Certificate Expired 
    The website certificate may be expired
  • Certificate Revoked
    The website certificate may have been revoked by the Root CA which could indicate it is being used fraudulently.  
  • Intermediate CA chain not presented by website
    Websites should provide a chain of certificates (including any intermediate CA) to clients so we can verify the complete chain of trust - up to a Root CA.  If this chain is not present then Umbrella may not be able to validate the certificate properly.  Some certificates use an extension called "Authority Access Information (RFC4325)" to allow the client to automatically find the Intermediate certificates.  Umbrella supports this feature, but not in all configurations .  You must ensure Umbrella File Inspection is enabled for this functionality to be possible.  Note that allowing a domain via a destination list will disable file inspection.
  • Invalid characters in hostname
    SWG is unable to perform certificate validation when the hostname contains invalid characters.  Valid characters in an internet hostname include alphabet (A-Z), digits (0-9), minus sign (-), and period (.) as defined in RFC952 / RFC 1123.  Some web browsers may allow these characters, but SWG does not support them.

 

Exceptions

 

It is possible to bypass certificate errors on an individual basis using the 'Selective Decryption' feature in Umbrella web policies.  This is only recommended when the administrator trusts the authenticity of the website.  For more information please contact Umbrella technical support.

Was this article helpful?

3 out of 3 found this helpful
Have more questions? Submit a request

Related articles