New Member

Solved

Sudden HTTPS certificate errors - Sectigo AddTrust External CA Root Expiring May 30, 2020

Forum|Forum|5 years ago
May 31, 2020
3 replies
113345 views

Hi, I have a FortiGate 50E running v6.2.4build1112 The following issue occurs with different browers (FF, Chrome, Safari) and also on different platforms (Win,OSX,iOS,Android) For the last 24h I have suddently started receiving certifiacte errors on various websites which have worked flawlessly before. I get the typical HTTPS warning in my Browser (e.g. "Your connection is not private" in Chrome) and the exact error message is "NET::ERR_CERT_AUTHORITY_INVALID". Interestingly if I look at the certificate details it shows "Fortinet Untrusted CA" as the issuer. If I access these sites via mobile data these pages work fine and also the issuer is shown as a know institution (in all cases noticed so far it's "Sectigo"). In the SSL Logs I see "blocked" actions for the respective website: Message: Server certificate blocked Reason: block-cert-invalid Type: utm Sub Type: ssl Event Type: ssl-anomalies These actions are triggered by the Standard FortiGate pre-configured SSL/SSH Inspection profile "certificate-inspection" (SSL handshake inspection.) Any ideas what could be the reason for this sudden new behavior or how I could trouble shoot? Thanks in advance for any help!

6.2

Best answer by emnoc

To repeat what was said earlier

"The problem is that those websites have an expired certificate in their chain (expired on May 30)."

Use ssllab to verify the cert on the web-server. If the cert is expired nothing you can do can get pass that issue. It does NOT matter that you have the cert of the CAs or webserver

https://www.ssllabs.com/ssltest/

If you would like to paste the name of the site we would gladly check for you.

Ken Felix

jerem42Author

New Member

Seems to me this is related to the "Sectigo AddTrust External CA Root" expiring yesterday May 30, 2020 https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020

Will there be an update for this or how could I resolve this? Thanks

aleilmago

New Member

Hello.

In my opinion, there are two ways:

[ul]

disable SSL Inspection

waiting that all the websites replace the expired certificate[/ul]

Read this:

https://sectigo.com/resou...-what-you-need-to-know

It seems that the modern web browser are not affected by this expired certicate, but this doesn't like to FortiGate SSL Inspection (and probably it's right, because it's an expired certificate).

Best.

Alessandro

emnoc

New Member

We issue the certificates for the website is the fix. The browsers are probably caching the ssl-cert-chain. If you use incognito , curl, or gnutls, you will probably see the error much clearier

Ken Felix

sysinit

New Member

Hi!

I am new to Fortinet, but with other vendors you simply delete or at least deactivate the expired root certificate from the firewall, so that another certificate chain path is chosen. But on my FortiGate, I only can see a very short list of locally installed certificates, so I am not sure if there is at all the possibility to influence the used root certificates in any way.

Kind regards,

Daniel

sysinit

New Member

Hi!

These certificates are are signed by an Intermediate CA that by itself is signed by multiple Root CAs, one really old ("AddTrust External CA Root", the one that has expired) to be compatible with old devices, and by a current one ("USERTrust RSA Certification Authority"), known by up-to-date devices. So the "solution" to this problem is to discard the really old CA and instead use the certification path to the current Root CA, which is perfectly fine. This is what browsers do and what is possible with other firewall vendors.

Best regards,

Daniel

lakshman

New Member

This issue happening in 6.2.x ver. Untrusted SSL cert blocked by default. Try to create a new SSL inspection policy where you can exempt the website temporarily or allow an untrusted SSL certificate in GUI.

If I am wrong - correct me

mcdaniels

New Member

Hi,

well I did not get the point. In my opinion this is a problem of an outdated certificate in the certchain of some websites. (using Sectigo's legacy AddTrust External CA Root certificate).

I may be wrong, cause I am no expert in this, but the fortigate reacts correct to this issue, as far as I understand right.

Outdated cert -> security issue -> block

for example if you test: https://www.ssllabs.com/ssltest/analyze.html?d=www.post.at

you can see the outdated cert.

The only way to resolve this issue at the moment is to switch to flow mode, or allow invalid ssl certificates in the ssl/ssh protection profiles.

aleilmago

New Member

Hi.

I agree with mcdaniels.

FortiGate reacts correctly to this issue, because that certificate is expired.

In my opinion it's not useful to check certificates and then permit also the expired ones...

Best.

Alessandro

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded