Troubleshooting Tip: FortiGate transparent web-proxy and certificate errors
Description
This article expands upon the transparent web-proxy configuration guide:
https://docs.fortinet.com/document/fortigate/6.4.7/administration-guide/15908/transparent-proxy
Solution
FortiGates, when serving as transparent web-proxy, might still present their own certificates to the user during authentication if it happens over HTTPS, which can lead to certificate errors if the FortiGate certificates are not trusted.
This usually shows as warnings/errors in browsers regarding untrusted certificates or certificate issuers, such as this:
Certificates for proxy connections/captive portal are set in CLI here.
Note:
There can be issues with Chrome or Chrome-based browsers not accepting the server certificate if it lacks a Subject Alternative Name (SAN).
# config user settingCertificates for transparent (web) proxy in particular, however, are specified here:
set auth-cert <server certificate>
set auth-ca-cert <CA certificate of server certificate>
end
# config web-proxy globalIf a proxy-fqdn is defined here, the server certificate must contain the FQDN as subject and/or Subject Alternative Name.
set ssl-cert <server certificate>
set ssl-ca-cert <server certificate>
set proxy-fqdn <FQDN of FortiGate>
end
Note:
There can be issues with Chrome or Chrome-based browsers not accepting the server certificate if it lacks a Subject Alternative Name (SAN).