HTTPS management Certificate error: HTTPS handshake SSLv3 alert: certificate unknown

GEN7 Firewalls are experiencing a Certificate Error (HTTPS handshake SSLv3 alert: certificate unknown) on the HTTPS Management page. This issue occurs even after importing a locally signed certificate following the firmware upgrade to version 7.1.3-7015.

The Steps listed immediately below are a temporary workaround. A permanent fix is explained in the Resolution section below. The Workaround can be used temporarily until the Hotfix Firmware upgrade window is scheduled. 

Workaround:

• Verify that a proper reboot has been performed (on both devices, if operating in an HA setup) with the correct Local certificate (imported).
• Navigate to the diag page to verify the following:
   a)  TLS 1.0 is disabled
   b)  TLS 1.1 is disabled
   c)  TLS 1.2 and 1.3 are enabled
   d)  Cipher Methods = Secure ciphers
• Check if the local certificate and its Intermediate/Root certificate are present. If they are not:
  •  Save the Root and Intermediate certificates from the Local certificate by double-clicking on the certificate
  • Follow the Certificate Export wizard steps with default options refer to the steps below and save.
    • Running the wizard
      
    • Selecting the format for the certificate
      
    • Naming the certificate
      
    • Selecting the path to save the certificate
      
    • Exporting the certificate
      
    • Successfully Exported to the selected path
      
  • Import the IM and Root certs on the firewall and reboot the unit. A reboot of the unit is mandatory for the changes to take place. 

The Issue is permanently addressed by applying the Hotfix Firmware (HF) for the Issue ID: GEN7-51903. Please note that the HF is only applicable if the Issue was observed ONLY after upgrading to SonicOS 7.1.3-7015

Please follow the Steps given below for help:

1. Steps to collect the required files and request the HF from the SonicWALL Technical Support team.
2. Reporting the Issue to Sonicwall Support
3. Steps to Download and apply the HF Firmware.
4. Steps to follow if the HF Firmware has not taken effect or resolved the Issue. 

1. Steps to collect the required files and request for HF Firmware with the SonicWALL Technical support team

1. 1. Collect the following set of logs and attach it to the Technical Support Case

1. 1. 1. Tech Support Report
      2. Screenshot of the UI page showing the certificate error. 
2. To report the Issue to Sonicwall Support , please follow this article here:  [[How to submit a support case online at MySonicWall.com|170814110235888]]. While Submitting the case, please state the Issue ID GEN7-51903 in the Case Subject.   
3. Steps to Download and Apply the HF Firmware.

1. 1. Steps to Download the HF Firmware:

1. 1. 1. Login to your My SonicWALL account.
      2. Navigate to Support & Resources | Manage cases.
      3. Select the case.
      4. The Attachments section will display the current attachments for your case. If you click on the attachment, you'll be prompted to download the file
   2. Steps to apply the HF firmware:
      1. Navigate to Device at the top of the navigation menu. Click Settings | Firmware and Settings.
      2. Click Upload Firmware and navigate to where the Firmware file is stored on your local device. Click Upload.
         
         
      3. The following warning message will appear to remind you to take backup of your current settings, click OK if you have taken the backup already.
         
         
         
         
      4. It takes a few minutes to upload the firmware to the firewall, please do not navigate away from the screen during this time.
         
         
         CAUTION: It is recommended to always plan a maintenance window to perform firmware upgrades and take all necessary backups before starting this process.
      5. Booting to the New Firmware (HF Firmware)
      6. After uploading the Firmware you will see two booting options for the Uploaded Firmware - Uploaded Firmware with current configuration and Uploaded Firmware with Factory Default configuration.
         NOTE: You should choose the option to boot with current configuration as that will just upgrade the firmware keeping the configuration as it is. If you choose to boot with factory default configuration, you would lose your configuration and would need to access the device on default IP 192.168.168.168 on X0 or 192.168.1.254 on MGMT for devices with MGMT port.
      7. For whichever option you'd like to choose, select the Boot PowerIcon on the far-right. Once you click on the boot icon, the image will be first saved to the flash memory and then the firewall will reboot automatically.
      8.  
      9. A warning message will appear asking if you want to boot. Click OK on it.
      10. The restart procedure takes place and the following screen would appear.
          
          
          
      11. NOTE: The firmware upgrade procedure takes between 5-8 minutes. NSa units can take approximately 12-15 mins.  While the firmware image is being saved to the flash memory, the internet access is still provided to the devices behind the firewall. Once the firewall restarts, the internet connection to the devices behind the firewall will be lost.
      12. Refer KB : https://www.sonicwall.com/support/knowledge-base/how-can-i-upgrade-sonicos-firmware/170504337655458
2. Steps to follow IF the Hotfix Firmware has not resolved the Issue.

1. 1. Confirm that the Firewall has indeed booted to the Hotfix Firmware. 
   2. Please make sure the certificate is listed as “Verified”.
   3.  
   4. Then reset this certificate as an HTTPS management certificate (switching to “Use Self-signed Certificate” and then back to the imported cert).  No reboot or re-importing of certificate chains is needed.
   5. Please contact SonicWall Support if the Issue is still unresolved.