License has not been validated by FortiGuard Issue

Hi @52000cc 

If anycast is enabled in FortiGuard configuration, please make the below changes and check:

config system fortiguard

    set fortiguard-anycast disable

    set protocol udp

    set port 8888

end

Helpful article:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGuard-Update-Fail-Server-certificate/ta-p/243126
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Unable-to-connect-to-FortiGuard-servers/ta-p/226149

Best Regards,
Abhimanyu

Hi @52000cc ,

[929] ssl_set_hostname: Set hostname 'fortinet-ca2.fortinet.com'
[720] __ssl_info_callback: before SSL initialization
[720] __ssl_info_callback: SSLv3/TLS write client hello
[720] __ssl_info_callback: SSLv3/TLS write client hello
[720] __ssl_info_callback: SSLv3/TLS read server hello
[720] __ssl_info_callback: TLSv1.3 read encrypted extensions
[720] __ssl_info_callback: SSLv3/TLS read server certificate request
[362] __ssl_crl_verify_cb: Cert error 19, self-signed certificate in certificate chain. Depth 2
__upd_peer_vfy[329]-Server certificate failed verification. Error: 19 (self-signed certificate in certificate chain), depth: 2, subject: /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=fortinet-ca2/emailAddress=support@fortinet.com.
[1070] ssl_connect: SSL_connect failes: error:0A000086:SSL routines::certificate verify failed
ssl_connect_fds[391]-Failed SSL connecting (5,0,Success)

Apparently, there is something wrong with your self-signed certificate.  Please check whether you have a self-signed certificate called "fortinet-ca2", if yes, please confirm whether it is still valid or not.

As @akushwaha has suggested, you may switch to the UDP protocol which will not use the self-sign certificate for SSL negotiation.

I checked this fortinet-ca2 looks normal.

Hi 52000cc,

In FortiGuard debug logs, we can see the message "Cert error 19, self-signed certificate in certificate chain. Depth 2"

The issue is caused by another upstream unit (such as another FortiGate or 3rd party firewall) replacing the certificate of the connection. Because the replacement certificate is unknown to the local FortiGate, the SSL Handshake fails.

If verifying that there is no upstream unit or any device that is doing the inspection and still experiencing the issue. This might be happening because the certificate bundle is missing some Public certificates.

It is possible to try to change the Fortiguard Port to 8888 and the protocol to UDP.

This can only be done after disabling the 'anycast'. Use the following commands

config system fortiguard
set fortiguard-anycast disable
set port 8888
set protocol udp
end

Note: If the issue still persists with the same error, try to enable fortiguard-anycast under 'config system fortiguard' by unsetting the other changes done such as sdns-server-ip, port, and protocol.

config system fortiguard
set fortiguard-anycast enable
end

Please refer to the below document for more information:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Failed-to-contact-FortiGuard-servers-due-to/ta-p/189678

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Unable-to-Connect-to-FortiGuard-Servers-due-to/ta-p/350611

If you have found a solution, please like and accept it to make it easily accessible to others.

Regards,
Aman

I have setup as this, the license is validated, but the log is continuously show certificate error.
config system fortiguard
set fortiguard-anycast enable
end

Hi 52000cc,

In the upstream, there is a third-party firewall enabling SSL deep inspection, which causes the FortiGuard update certificate error. The solution is to add an exemption in the upstream firewall for FortiGuard FQDN.

Please refer to the below document for more information:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGuard-connection-fails-Self-signed/ta-p/335943

If you have found a solution, please like and accept it to make it easily accessible to others.

Regards,
Aman

The upstream is the ISP, so they shouldn't be blocking client access, right? Could it be that my security configuration with certificates inspection is causing the blockage?

Hi 52000cc,

As you informed after enabling the fortiguard-anycast the license is validated.

Please run the FortiGuard debug logs again and attach them here once

diagnose debug application update -1
diagnose debug enable
execute update-now

Regards,
Aman

The FortiGuard debug shows normal now, and the SSL errors in the log have also been resolved.

Why is it necessary to enable FortiGuard-anycast? I had it disabled before, and everything was working fine. Could there be any other impacts?

Hi 52000cc,

It’s nice to hear that the issue has been resolved.

Please be notified that if verifying that there is no upstream unit or any device that is doing the inspection and still experiencing the issue. This might be happening because the certificate bundle is missing some Public certificates.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Failed-to-contact-FortiGuard-servers-due-to/ta-p/189678

Bydefault, fortiguard-anycast is enabled to optimize the routing performance to FortiGuard servers.
Relying on Fortinet DNS servers, the FortiGate will get a single IP address for the domain name of each FortiGuard service. BGP routing optimization is transparent to the FortiGate.

Note: HTTPS/443 is only supported on anycast servers.

Please refer to the below documents for more information:

https://docs.fortinet.com/document/fortigate/6.2.16/cookbook/734277/fortiguard-third-party-ssl-validation-and-anycast-support#:~:text=You%20can%20enable%20anycast%20to,is%20transparent%20to%20the%20FortiGate.

https://docs.fortinet.com/document/fortigate/6.4.0/new-features/925541/use-anycast-to-communicate-with-fortiguard-servers

If you have found a solution, please like and accept it to make it easily accessible to others.

Regards,
Aman