| Description | The article describes how to resolve the 'CERTIFICATE_VERIFY_FAILED' error when connecting to Azure using PowerShell, which occurs due to the policy with Deep Packet Inspection. |
| Scope | All FortiGate/FortiProxy versions. |
| Solution |
The traffic is passing through the following policy, where deep packet inspection is enabled.
set name "Internet_traffic"
When deep packet inspection is enabled, it shows the following error while connecting to Azure using PowerShell. This error does not appear when certificate inspection is enabled in the policy.
PS C:\Users\Fortinet> az login ERROR: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate in certificate chain (_ssl.c:1000)
The error 'SSL: certificate_verify_failed' occurs because when deep packet inspection is enabled, FortiGate intercepts the SSL handshake and dynamically replaces the server certificate with a self-generated server certificate. This certificate is very similar to the original server certificate but is signed by the Certificate Authority (CA) on FortiGate. By default, FortiGate uses an in-built, unique Fortinet_CA_SSL certificate to sign the replaced server certificate.
To resolve the issue, the Fortinet_CA_SSL certificate needs to be installed in the client's CA certificate store. In this case, copy the content of the Fortinet_CA_SSL certificate by opening the file in any text editor and appending it to the cacert.pem file at the following location on Windows.
Windows 32-bit : 'C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem'. Windows 64-bit : 'C:\Program Files\Microsoft SDKs\Azure\CLI2\Lib\site-packages\certifi\cacert.pem'.
For more information and details on other operating systems, refer to Troubleshooting Azure CLI.
Once the certificate is added, it will be possible to sign in.
|
