Technical Tip: Expiring Let’s Encrypt Certificates

vpalli · ‎09-30-2021

Description
We are aware of and have investigated the issue relating to an expired root CA certificate provided by third-party Certificate Authority Lets Encrypt. We have provided a temporary workaround.Additionally, we are working on a longer-term solution to address this edge case issue directly within our product. For more detail, please visit our latest blog.

To provide more background on this, the Issue started from the early hours of September 30th due to the expiry of "DST Root CA X3" root CA certificate, where certificate warnings on end user’s browsers were observed. The blog explains the issue in more detail:

https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates

Solution

To address this issue, Fortinet prepared a Certificate Bundle update to remove the legacy root CA certificate from the FortiGate system. If your FortiGate has not yet received this update, please execute the below command.

#execute update-now

Verify that certificate bundle is updated by executing the command #diagnose autoupdate versions

#diagnose autoupdate versions

Certificate Bundle

---------

Version: 1.00028 <<<<<<< 1.00028 is the required Certificate Bundle.

Contract Expiry Date: n/a

Last Updated using manual update on Thu Sep 30 17:00:00 2021

Last Update Attempt: n/a

Result: Updates Installed

You may have already been provided with a few options as workarounds to avoid running into certificate warnings.

1. Firewall policies are switched to flow based inspection.

2. Created a Clone of Certificate inspection profile to allow Invalid/Expired certificates.

You may want to revert changes made to those firewall policies and use flow-based deep inspection or proxy-based certificate inspection or proxy-based deep inspection profiles to secure HTTPS communications.

To achieve this, please follow the instructions below.

1. Ensure the firewall policy configuration is reverted to the previous desired inspection mode and ssl/ssh inspection profile.

2. As part of certificate chain validation, FortiGate contacts identrust server for downloading the "DST Root CA X3" expired root ca certificate in the certificate chain.

With the removal of the expired IdenTrust DST Root CA X3 in Certificate Bundle version 1.28, it is possible to prevent fallback to the expired root CA by blocking FortiGate access to apps.identrust.com, resulting in the correct root CA being used

This can be achieved by using either DNS blackholing or via an FQDN policy to block access to apps.identrust.com

config system dns-database
    edit "1"
        set domain "identrust.com"
        config dns-entry
            edit 1
                set hostname "apps"
                set ip 127.0.0.1
            next
        end
    next
end

Note: If apps.identrust.com removes or stops sending this expired certificate, the above dns-database config will not be needed.

In a few corner cases, the IPS engine and WAD daemon may cache the previous certificate validation results and still report certificate warnings for the end user when accessing websites.

To fix those errors, cached results must be cleared by executing the following commands.

IMPORTANT:

Executing the commands below to clear the cached certificate validation results during production hours may cause the sessions handled by WAD to terminate abruptly and end users will experience timeouts.

We highly recommend to execute these commands during non-business hours.

#diag ips share clear cert_verify_cache > (when the firewall policy is in flow-mode) - Non Business Impacting

#diagnose test application wad 99 > (when the firewall policy is in proxy-mode) – Expect sessions handled by WAD to terminate abruptly.

If you have any questions or concerns, please feel free to contact Fortinet Technical support.

https://www.fortinet.com/support/contact