Skip to main content
gpap_FTNT
Staff & Editor
gpap_FTNT
Staff & Editor
February 23, 2021

Technical Tip: Unable to Contact FortiGuard Servers Due to an Unknown CA and 'Error: 19 (self-signed certificate in certificate chain)'

  • February 23, 2021
  • 0 replies
  • 20530 views

Description

 

This article describes how to resolve the issue where a FortiGate cannot connect to FortiGuard servers and encounters the error 'Error: 19 (self-signed certificate in certificate chain)' in the updated debug logs.

 

Scope

 

FortiGate.

 

Solution

 

  1. Enable debug commands by running the following:

 

diagnose debug reset

diagnose debug application update -1

diagnose debug console timestamp enable

diagnose debug enable

 

  1. Initiate an update query by running:

 

execute update-now

 

  1. Check the  debug output:


__upd_peer_vfy[331]-Server certificate failed verification. Error: 19 (self signed certificate in certificate chain), depth: 1, subject: /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com.
ssl_connect_fds[389]-Failed SSL connecting (5,0,Success)

upd_comm_connect_fds[476]-Failed SSL connect

upd_act_HA_contract_info[779]-Error updating FSCI -1

 

  1. Find the FortiGuard server IP address and collect the given sniffer command output when initiating an update request by running:

 

execute update-now

 

Example:

 

diagnose sniffer packet any ‘host x.x.x.x’ 6 0 l <----- Replace x.x.x.x with FortiGuard server IP address.

 

If VDOM is enabled, collect sniffer command output from the Management VDOM.

In the packet capture.

 

 
The issue is caused by another upstream unit (such as another FortiGate or 3rd party firewall) replacing the certificate of the connection. Because the replacement certificate is unknown to the local FortiGate, the SSL Handshake fails.


If the issue is caused by an upstream FortiGate, configure it to not perform a 'deep inspection' of the traffic going to the local FortiGate. Use a similar process if the problem is caused by a 3rd party unit.

If verifying that there is no upstream unit or any device that is doing the inspection, and still experiencing the issue. This might be happening because the certificate bundle is missing some Public certificates. 

 

2023-08-29 13_15_54-Clipboard.png

 

 

  1. Disable fortiguard-anycast using the below commands. Run the command 'execute update-now' and review the updated debug logs to verify if the issue persists.

config system fortiguard
    set fortiguard-anycast disable
    set port 8888
    set protocol udp
    set sdns-server-ip 208.91.112.220
end

  1. If FortiGuard Anycast is already disabled and an error like the following is seen:

 

[362] __ssl_crl_verify_cb: Cert error 19, self-signed certificate in certificate chain. Depth 2
__upd_peer_vfy[329]-Server certificate failed verification. Error: 19 (self-signed certificate in certificate chain), depth: 2, subject: /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=fortinet-ca2/emailAddress=support@fortinet.com.
[1063] ssl_connect: SSL_connect failes: error:0A000086:SSL routines::certificate verify failed

 

Try enabling fortiguard anycast option under FortiGuard system settings:

 

config system fortiguard
    set fortiguard-anycast enable 

end

 

Anycast is the default access mode for FortiGates when connecting to FortiGuard which by default utilizes HTTPS and port 443.

 

  1. Restart the Update Daemon using the command: 'fnsysctl killall updated'.
  2. Check the version of the certificate bundle using the command:


diagnose autoupdate versions

Certificate Bundle
---------
Version: 1.00051
Contract Expiry Date: n/a
Last Updated using manual update on Tue Jul 2 15:00:00 2024
Last Update Attempt: n/a
Result: Updates Installed

   

If the version is 1.00051, upgrade the certificate bundle to 1.00052 manually during a maintenance window by issuing.

 

Note:

The certificate bundle version can be different depending on the FortiOS version.

 

execute vpn certificate ca import bundle <CA bundle filename> <TFTP server IP>

 

Related article:

Technical Tip: How to import public CA certificate bundle in FortiGate 
   

The latest certificate bundle version can be requested from the Fortinet TAC department.

 

  1. Change the MTU size in the internet-facing interface.

 

config system interface
    edit <interface>
        set mtu-override enable
        set mtu <max bytes>
    next
end

 

  1. Rebooting the FortiGate can help in some cases to resolve this issue.

  2. Shut the secondary VM down. After, the primary VM will validate the license.

  3. On a standalone FortiGate, 'self-signed certificate in certificate chain' message can be observed when 'fortiguard-anycast' is disabled/enabled. In this case, a reload of the FortiOS firmware is needed to solve the problem.

 

Related articles:

Technical Tip: Unable to load FortiGuard DDNS server list

Technical Tip: Unable to connect to FortiGuard servers

Technical Tip: FortiGuard is not reachable via Anycast default method

Troubleshooting Tip: FortiGuard DDNS IP update fails

Technical Tip: How to reload FortiGate Firmware 

    Terms & ConditionsAccessibility statement