New Member

Solved

Certificate issue

Forum|Forum|10 years ago
February 25, 2016
2 replies
33054 views

Hello,

i have issue when open some website like yahoo.com For example but not limited to ,from Chrome i found error below:

"The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1".

what should to do to solve this issue ?

thanks

Best answer by Ricardo_Tomas

Hello,

My guess is your unit is doing ssl offload to do one or more security features (IPS or Application control or HTTPS inspection or Antivirus or web filter or explicit proxy) , using an men in the middle approach. That’s fine, it is the common solution.

Some type of ssl old versions have been depreciated and chrome is giving warnings about that. With time, it will start to block it, forcing a manual override.

The problem is the certificate that forti unit is giving to the browser is using that old ssl version.

To resolve it, you need to put a new one with a newer ssl version in forti unit and in the pc’s.

The easier path is to upgrade the forti unit, since the newer versions have latest ssl version, and then reuse the GPO to put the newer certificate in all pc’s (no problem leaving the old one).

One last thing, both things have to be done at the same time, since you only have the certificate after the upgrade, and you will only have the clean https after the computers have the gpo with the certificate (before, you will have a nasty certificate not trustiest)

emnoc

New Member

What error are you getting specifically ? And yahoo.com does not use a SHA1 certificate btw?

I bet you have a proxy inserted and your getting that error/warning due to the proxy certificate.

CADAuthor

New Member

Hello, I've mentioned error above between quote, in fact, is not the fault meaning mistake only a red cross on the word (HTTPS :) in the address bar. Yes, we have an proxy, but we use it for other purposes.

thanks.

emnoc

New Member

Check the website via a external site if suspect the site is not sha1

e.g

[link]https://shaaaaaaaaaaaaa.com/check/[/link]

http://sha1affected.com/

Than check your browser and/or proxy for rejection or warning for sha1.

https://www.elie.net/blog/security/19.5-percent-of-https-sites-trigger-browser-warning-as-they-use-sha-1-signed-certificates

I'm on chrome 48 and it will warn with a "click" box,firefox 44.0.2 doesn't care.

Ken

sgroulx

New Member

If you are configured in explcit proxy, update your fortigate to 5.2.6

CADAuthor

New Member

Hi,

I do not use explicit proxy option.

Really i need your assistance.

thanks

Ricardo_TomasAnswer

New Member

Hello,

My guess is your unit is doing ssl offload to do one or more security features (IPS or Application control or HTTPS inspection or Antivirus or web filter or explicit proxy) , using an men in the middle approach. That’s fine, it is the common solution.

Some type of ssl old versions have been depreciated and chrome is giving warnings about that. With time, it will start to block it, forcing a manual override.

The problem is the certificate that forti unit is giving to the browser is using that old ssl version.

To resolve it, you need to put a new one with a newer ssl version in forti unit and in the pc’s.

The easier path is to upgrade the forti unit, since the newer versions have latest ssl version, and then reuse the GPO to put the newer certificate in all pc’s (no problem leaving the old one).

One last thing, both things have to be done at the same time, since you only have the certificate after the upgrade, and you will only have the clean https after the computers have the gpo with the certificate (before, you will have a nasty certificate not trustiest)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded