Troubleshooting Tip: How to fix 'ERR_CERT_DATE_INVALID' error for deep-inspected ssl sessions after upgrade to FortiOS v7.6.3
| Description | This article describes how to fix the certificate warnings 'ERR_CERT_DATE_INVALID' noticed after upgrading to FortiOS v7.6.3 for web-browsing sessions with deep inspection enabled. |
| Scope | FortiGate v7.6.3. |
| Solution | Users may notice certificate warnings for deep-inspected sessions after the FortiOS firmware upgrade to v7.6.3. This is due to the re-signed server certificate provided by FortiGate having expired and not been renewed automatically.
From v7.6.3, the resigned server certificate will be valid for 3 days after the date when it is resigned. The validation period is shortened to 3 days (4 days if the re-signing day is included) on purpose for security concerns.
Workaround 1:
Step1:
config firewall ssl setting end
Step 2:
Restart the WAD process using 'diagnose test application wad 99'.
Note: Restarting the WAD process disrupts proxy-based inspection. Users may notice some seconds of disruption.
Verification: Post workaround, once connected to a website, review the Server Certificate 'Validity Period' attribute. It should have the updated, valid Expiry Date of the issued Server Certificate from the FortiGate.
Note: Post changes, when accessing certain websites, the following error may show in the client's browser: 'You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL'.
Workaround 2: Use a Firewall policy with Flow-mode instead of Proxy-mode.
Related article: |
