Resolve "515 Upstream Certificate Untrusted" Error on Umbrella SWG

Introduction

This document describes the causes and resolution for the "515 Upstream Certificate Untrusted" error on Secure Web Gateway (SWG).

Error Description

When accessing an HTTPS website through the Umbrella Secure Web Gateway, this error can appear:

"515 Upstream Certificate Untrusted"

360069883331

This error indicates that validation of the website certificate is not possible.

Cause

Umbrella validates digital certificates presented by websites to confirm server authenticity and verify that a trusted authority has issued the certificate.

Certificate issues can result from several scenarios. When this error appears, the same website usually becomes inaccessible or displays a warning or error page in a normal web browser without Umbrella SWG. For security, the Secure Web Gateway does not permit end users to bypass certificate errors.

Common Reasons for the Error

• Certificate not issued by a trusted root authority
  Umbrella maintains a list of root certification authorities that can identify websites. The certificate must be signed by one of these authorities. Umbrella obtains this list from a common source used by major web browsers. If you determine that SWG does not trust a legitimate certificate authority, contact Umbrella support.
  
  

• Certificate hostname does not match target URL
  The hostname specified in the certificate must match the URL the user is accessing (for example, the URL typed in the address bar). If the hostname does not match, the certificate is invalid.
  
  

• Certificate expired
  The website certificate has passed its expiration date.
  
  

• Certificate revoked
  The website certificate has been revoked by the root certificate authority, potentially due to fraudulent use.
  
  

• Intermediate CA chain not presented by website
  Websites must provide a complete chain of certificates, including any intermediate certificate authorities, to allow verification up to a root certificate authority. If this chain is missing, Umbrella cannot validate the certificate. Some certificates use the Authority Information Access extension (RFC4325) to allow clients to find intermediate certificates automatically. Umbrella supports this feature, but not in all configurations. You must enable Umbrella File Inspection for this functionality.
  
  

• Invalid characters in hostname
  SWG cannot validate certificates if the hostname contains invalid characters. Valid characters in an internet hostname include alphabetic characters (A-Z), digits (0-9), minus signs (-), and periods (.) as defined in RFC952 and RFC1123. Some browsers allow other characters, but SWG does not support them.

Resolution

Umbrella Secure Web Gateway supports certificate error handling configurations. For more information and instructions to implement this feature, refer to the documentation Enable Certificate Error Handling.