|
When navigating to the FortiGuard page on the FortiGate GUI, the 'fortiguard-anycast' setting is automatically disabled.
However, no event is logged in the System events to indicate this change.
config system fortiguard
set fortiguard-anycast disable
Errors related to failed certificate verification are observed in both the 'updated' debugs and System events, as shown below:
(This error happens only when 'fortiguard-anycast' is disabled):
This issue can be temporarily resolved by enabling 'fortiguard-anycast' again, but it will recur when navigating to the FortiGuard page on the FortiGate GUI due to this bug.
This can be verified with the debug command 'diagnose debug rating':
Debugs:
2024-11-06 12:16:38 [362] __ssl_crl_verify_cb: Cert error 19, self-signed certificate in certificate chain. Depth 2
2024-11-06 12:16:38 [1421] SSL_dump_handshake_err: Certificate failed verification. Error: 19 (self-signed certificate in certificate chain), depth: 2, subject: /C=US/ST=Californ
ia/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=fortinet-ca2/emailAddress=support@fortinet.com.
2024-11-06 12:16:38 [1063] ssl_connect: SSL_connect failes: error:0A000086:SSL routines::certificate verify failed
2024-11-06 12:16:38 [870] tcps_connect: 173.243.138.76:443 -- ret -1, state 0x7(Failed) -> 0x7(Failed)
2024-11-06 12:16:38 [877] tcps_connect: tcps_connect failed: ssl_connect() failed: 0 (error:00000000:lib(0)::reason(0))
2024-11-06 12:16:38 [501] fds_https_connect: https_connect(173.243.138.76:443) failed: ssl_connect() failed: 0 (error:00000000:lib(0)::reason(0)).
2024-11-06 12:16:38 [667] fds_https_stop_server: 173.243.138.76:443
System Events:
date=2024-11-06 time=12:16:47 eventtime=1730870206122770022 tz="+0700" logid="0100038410" type="event" subtype="system" level="information" vd="root" logdesc="SSL connection failed" dstip=N/A dstport=N/A reason="self-signed certificate in certificate chain" action="info" status="failure" msg="Certificate is invalid, subject: /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=fortinet-ca2/emailAddress=support@fortinet.com"
date=2024-11-06 time=12:16:38 eventtime=1730870198817422451 tz="+0700" logid="0100038410" type="event" subtype="system" level="information" vd="root" logdesc="SSL connection failed" dstip=N/A dstport=N/A reason="self-signed certificate in certificate chain" action="info" status="failure" msg="Certificate is invalid, subject: /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=fortinet-ca2/emailAddress=support@fortinet.com"
This issue has been resolved in versions:
- v7.4.6 and above (available on Fortinet Support Portal).
- v7.6.2 and above (available on Fortinet Support Portal)
Logs required by FortiGate TAC for investigation.
- Debugs:
diagnose debug application updated -1
diagnose debug console timestamp enable
diagnose debug enable
<reproduce the issue>
diagnose debug reset
- TAC Report:
execute tac report
- Configuration file of the FortiGate.
- Fortinet Support Tool data: Troubleshooting Tip: Collect GUI slowness and errors debugs via Fortinet Support Tool
|
