Description
This article describes how to resolve the issue where a FortiGate cannot connect to FortiGuard servers and encounters the error 'Error: 19 (self-signed certificate in certificate chain)' in the updated debug logs.
Scope
FortiGate.
Solution
- Enable debug commands by running the following:
diagnose debug reset
diagnose debug application update -1
diagnose debug console timestamp enable
diagnose debug enable
- Initiate an update query by running:
execute update-now
- Check the debug output:
__upd_peer_vfy[331]-Server certificate failed verification. Error: 19 (self signed certificate in certificate chain), depth: 1, subject: /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com.
ssl_connect_fds[389]-Failed SSL connecting (5,0,Success)
upd_comm_connect_fds[476]-Failed SSL connect
upd_act_HA_contract_info[779]-Error updating FSCI -1
- Find the FortiGuard server IP address and collect the given sniffer command output when initiating an update request by running:
execute update-now
Example:
diag sniffer packet any ‘host x.x.x.x’ 6 0 l <----- Replace x.x.x.x with FortiGuard server IP address.
If VDOM is enabled, collect sniffer command output from Management VDOM.
In the packet capture.
The issue is caused by another upstream unit (such as another FortiGate or 3rd party firewall) replacing the certificate of the connection. Because the replacement certificate is unknown to the local FortiGate, the SSL Handshake fails.
If the issue is caused by an upstream FortiGate, configure it to not perform a 'deep inspection' of the traffic going to the local FortiGate. Use a similar process if the problem is caused by a 3rd party unit.
If verifying that there is no upstream unit or any device that is doing the inspection and still experiencing the issue. This might be happening because the certificate bundle is missing some Public certificates.
- Disable fortiguard-anycast using the below commands. Run the command 'execute update-now' and review the updated debug logs to verify if the issue persists.
config system fortiguard
set fortiguard-anycast disable
set port 8888
set protocol udp
set sdns-server-ip 208.91.112.220
end
- If FortiGuard Anycast is already disabled, try enabling it with the following command and verify the outcome.
config system fortiguard
set fortiguard-anycast enable
end
- Restart the Update Daemon using the command 'fnsysctl killall updated'.
- Check the version of the certificate bundle:
Certificate Bundle
---------
Version: 1.00051
Contract Expiry Date: n/a
Last Updated using manual update on Tue Jul 2 15:00:00 2024
Last Update Attempt: n/a
Result: Updates Installed
If the version is 1.00051, upgrade the certificate bundle to 1.00052 manually during a maintenance window by issuing:
execute vpn certificate ca import bundle <CA bundle filename> <TFTP server IP>
Related article:
Technical Tip: How to import public CA certificate bundle in FortiGate
The certificate bundle 1.00052 can be requested from the Fortinet TAC department.
- Rebooting the FortiGate helps to resolve this issue.
Related articles:
Technical Tip: Unable to load FortiGuard DDNS server list
Technical Tip: Unable to connect to FortiGuard servers
Technical Tip: FortiGuard is not reachable via Anycast default method
