FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article provides some basic troubleshooting steps when an administrator detects a failure on contacting Fortiguard Servers, where local FotiGate does not have direct access to the internet.
While the connection is troubleshot:
# diag debug application update -1
# diag debug enable
# exec update-now
Notice the following output:
[357] __ssl_crl_verify_cb: Cert error 20, unable to get local issuer certificate. Depth 0
__upd_peer_vfy[331]-Server certificate failed verification. Error: 20 (unable to get local issuer certificate), depth: 0, subject: .
[967] ssl_connect: SSL_connect failes: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
ssl_connect_fds[389]-Failed SSL connecting (5,0,Success)
In the packet capture:

That is because another upstream unit (FortGate or 3rd party firewall) is replacing the certificate of the connection which is unknown to the local FortiGate resulting in SSL Handshake failure.

In that case, the upstream unit should not perform 'deep inspection' in that traffic (in case of using FortiGate) or a similar process if using a 3rd party unit.