Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vpalli
Staff & Editor
Staff & Editor

Created on ‎09-30-2021 11:30 AM Edited on ‎11-05-2025 12:02 AM By Community Manager

Article Id 198419

Technical Tip: Expiring Let’s Encrypt Certificates

Description


This article describes that Fortinet is aware of and has investigated the issue relating to an expired root CA certificate provided by third-party Certificate Authority Lets Encrypt. Fortinet have provided a temporary workaround. Additionally, Fortinet is working on a longer-term solution to address this edge case issue directly within Fortinet products. For more detail, please visit latest blog.

 

To provide more background on this, the issue started from the early hours of September 30th due to the expiry of "DST Root CA X3" root CA certificate, where certificate warnings on end user’s browsers were observed. The blog explains the issue in more detail: https://www.fortinet.com/blog/psirt-blogs/fortinet-and-expiring-lets-encrypt-certificates

 

Scope

 

FortiGate.


Solution

 

To address the issue, Fortinet prepared a Certificate Bundle update to remove the legacy root CA certificate from the FortiGate system. If the firewall has not yet received this update, execute command below:

 

execute update-now

 

Verify that the certificate bundle is updated by executing the command diagnose autoupdate versions

diagnose autoupdate versions

Certificate Bundle

---------

Version: 1.00028 <<<<<<< 1.00028 is the required Certificate Bundle.

Contract Expiry Date: n/a

Last Updated using manual update on Thu Sep 30 17:00:00 2021

Last Update Attempt: n/a

Result: Updates Installed

 

There are a few options as workarounds to avoid running into certificate warnings.

  • Change the inspection mode of firewall policies to flow-based inspection.
  • Create a Clone of the Certificate inspection profile to allow Invalid/Expired certificates.

 

The user may want to revert changes made to those firewall policies and use flow-based deep inspection or proxy-based certificate inspection or proxy-based deep inspection profiles to secure HTTPS communications.

 

To achieve this, follow the instructions below.

  • Ensure the firewall policy configuration is reverted to the previous desired inspection mode and SSL/SSH inspection profile.
  • As part of certificate chain validation, FortiGate contacts the IdenTrust server for downloading the 'DST Root CA X3' expired root CA certificate in the certificate chain.

 

With the removal of the expired IdenTrust DST Root CA X3 in Certificate Bundle version 1.28, it is possible to prevent fallback to the expired root CA by blocking FortiGate access to apps.identrust.com, resulting in the correct root CA being used.

This can be achieved by using either DNS blackholing or via an FQDN policy to block access to apps.identrust.com

 

config system dns-database
    edit "1"
        set domain "identrust.com"
        config dns-entry
            edit 1
                set hostname "apps"
                set ip 127.0.0.1
            next
        end
    next
end

 

Note:

If apps.identrust.com removes or stops sending the expired certificate, the above dns-database config will not be needed.

 

In a few corner cases, the IPS engine and WAD daemon may cache the previous certificate validation results and still report certificate warnings for the end user when accessing websites.

 

To fix those errors, cached results must be cleared by executing the following commands.

 

Important:

Executing the commands below to clear the cached certificate validation results during production hours may cause the sessions handled by WAD to terminate abruptly and end users will experience timeouts.

 

It is highly recommended to execute these commands during non-business hours:

 

diagnose ips share clear cert_verify_cache    <----- When the firewall policy is in flow-mode) - Non-Business Impacting.

diagnose test application wad 99                        <----- When the firewall policy is in proxy-mode) – Expect sessions handled by WAD to terminate abruptly.

 

Update Regarding Let's Encrypt Expiration Notifications:

Let’s Encrypt has announced that it will no longer send email reminders for expiring certificates. As a result, FortiGate administrators using these notifications will need to manually monitor certificate expirations or use third-party tools for tracking. For more information, refer to Ending Support for Expiration Notification Emails.

 

For any questions or concerns, please feel free to contact Fortinet Technical support.

https://www.fortinet.com/support/contact

91498
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.