A tenant is trying to use a vpn connection to her work using SSTP and certificates while going through the Microitk CCR1072-1G-8S+. We are receiving the message “a certifcates chain processed but terminated in a root certificate which is not trusted by the trusted provider”. This message is received both wireless and ethernet. When the tenant uses her IPhone or is at a coffee shop she has no issue connecting the VPN so this informs me the certificates are fine. We are running on the latest firmware 6.49.17.
Looking for some assistance on getting this resolved. Does anyone have any idea of why it would work going through a hotspot of free internet but be restricted going through the Microtik Firewall. Message attached that she gets connecting to VPN.
One possible cause of this is that some security appliance on the path between the client and the server inspects the payload of the TLS connections using a MITM techniques, i.e. it behaves as a client towards the server and presents an ad-hoc certificate signed by its own root CA to the client.
From the wording of your post it is not 100% clear to me whether the CCR is the SSTP server in the tenant’s company or whether your CCR stands on the path between the tenant’s laptop and the company SSTP server. If the latter, the reason must be something else, as RouterOS does not perform this MITM stuff. Sniffing and using Wireshark to analyse the initial TLS exchange should help find out exactly what actually happens.