Staff

Technical Tip: How to verify and resolve issues when FortiGate does not send the full certificate chain for web GUI or SSL VPN

Forum|Forum|1 year ago
October 1, 2024
0 replies
1936 views

Description

This article provides guidance on verifying and resolving issues where the FortiGate fails to present the full certificate chain for firewall-hosted services (like SSL VPN or the GUI) by using OpenSSL or online SSL checking tools.

Scope

FortiGate

Solution

For compliance or security policy requirements, it may be necessary for the FortiGate to present the full certificate chain when accessing a service hosted on the firewall (such as the Web GUI or SSL VPN).

It is possible to use the OpenSSL utility tools for this.
Compiled binaries for openssl on Windows are available on the Open SSL binary distribution page.

Use the following command to check the certificate chain:

openssl s_client -showcerts -connect <IP_Address>:<Port>

If the FortiGate is only presenting a single certificate instead of the full chain, the output will show only the server certificate with depth=0.

Non-working Log:

openssl s_client -connect vpn.******.com:55555 -showcerts
Connecting to 209.96.X.X
CONNECTED(000001F0)
depth=0 CN=vpn.******.com
verify error:num=20:unable to get local issuer certificate >> depth 0 indicates that the server is not providing the intermediate/Root certificate.
verify return:1
depth=0 CN=vpn.******.com
verify error:num=21:unable to verify the first certificate >> depth 0 indicates that the server is not providing the intermediate/Root certificate.
verify return:1
depth=0 CN=vpn.******.com
verify return:1

For the FortiGate to send the complete certificate chain, the intermediate certificate must be uploaded to the appliance as a CA Certificate. If the root CA certificate is not already present in the certificate store, it should also be uploaded.
Because the SSL VPN daemon does not automatically reload CA certificates after they are added, it is necessary to restart the sslvpnd process using the following command:

fnsysctl killall sslvpnd

Working Log:

openssl s_client -connect vpn.******.com:55555 -showcerts
Connecting to 209.96.X.X
CONNECTED(000001F0)
depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
verify error:num=19:self-signed certificate in certificate chain
verify return:1
depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
verify return:1
depth=1 C=US, O=DigiCert Inc, CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C=CA, ST=BC, L=YVR, O=FTNT, CN=vpn.******.com
verify return:1

After restarting the daemon, the certificate chain is presented correctly and the certificate error is no longer observed.

Note: Restart the daemon during non-business hours or when no users are connected to VPN.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded