we tried to connect to https://signin.amazonaws.cn/saml
this is blocked due to Unknown CA.
I Tried to figure out which is the CA we don't know. This is the path we got without ssl interception. For me this looks ok.
All certs in this path are wellknown...
I just checked this on a Web Gateway running 7.8.2 with a default config. With HTTPS Scanning enabled the site is working fine.
Maybe you can check which setting is used in the rule to check the certificate and also you can check if there is new content for the Known CAs list.
Tried to reproduce the issue on my side as well, running 22.214.171.124 with default McAfee supplied list of known CAs, but without any success.
Also double-checked the certificate path and for me this looks totally fine just as you mentioned.
Not sure what might go wrong there, looks like a strange behaviour within your policy/environment...
Hope you are doing well.
Below is the certificate being received at my end and website works fine with proxy and SSL enabled:-
Secure Sockets Layer
TLSv1.2 Record Layer: Handshake Protocol: Certificate
Content Type: Handshake (22)
Version: TLS 1.2 (0x0303)
Handshake Protocol: Certificate
Handshake Type: Certificate (11)
Certificates Length: 4854
Certificates (4854 bytes)
Certificate Length: 1422
Certificate: 3082058a30820472a0030201020210097e6b210aaf0fbca1... (id-at-commonName=*.signin.amazonaws.cn)
Certificate Length: 1101
Certificate: 3082044930820331a0030201020213067f94578587e8ac77... (id-at-commonName=Amazon,id-at-organizationalUnitName=Server CA 1B,id-at-organizationName=Amazon,id-at-countryName=US)
Certificate Length: 1174
Certificate: 308204923082037aa0030201020213067f944a2a27cdf3fa... (id-at-commonName=Amazon Root CA 1,id-at-organizationName=Amazon,id-at-countryName=US)
Certificate Length: 1145
Certificate: 308204753082035da003020102020900a70e4a4c3482b77f... (id-at-commonName=Starfield Services Root Certificate Authority ,id-at-organizationName=Starfield Technologies, Inc.,id-at-localityName=Scottsdale,id-at-stateOrProvinceName=A
I would once suggest to again check the certificate being received to MWG with SSL inspection enabled and check if certificate autheorities is present in the CA list being used in your policy.
If all look fine then you may open a case with support for further investigation.