|
There are cases when the certificate error 'NET :: ERR_CERT_AUTHORITY_INVALID' is received for traffic being processed by a VIP, although the traffic is passing through a firewall policy with no inspection.
The configuration of the firewall policy and of the VIP on the FortiGate is as below:
config firewall policy
edit <ID_of_the_firewall_policy>
set srcintf <interface_name>
set dstintf <interface_name>
set action accept
set srcaddr <source_address>
set dstaddr <VIP_1>
set schedule "always"
set service "tcp-8080"
set inspection-mode proxy
set ssl-ssh-profile "no-inspection"
set logtraffic all
next
end
config firewall vip
edit "VIP_1"
set type server-load-balance
set server-type http
set extip <external_ip>
set extintf "any"
set extport 8080
config realservers
edit 1
set ip <IP_address>
set port 8080
set healthcheck enable
set monitor <health_check_name>
next
end
next
end
This issue is happening when the processed traffic is not matching the server-type configured in the VIP. For example, if the 'tcp' traffic is processed by the VIP but the server-type is 'http', then the certificate error: 'NET :: ERR_CERT_AUTHORITY_INVALID' will be received.
This can occur in cases that during the firmware upgrade, the configuration file was not converted correctly or by misconfiguration.
To fix this issue, change the server-type from 'http' to 'tcp', using below commands:
config firewall vip
edit "VIP_1"
set server-type tcp
next
end
A workaround is to just create a 'ssl-ssh-profile' as below and then apply it on the firewall policy responsible for the traffic.
config firewall ssl-ssh-profile
edit "SSL_SSH_profile_name"
config https
set port 443
set status certificate-inspection
set quic inspect
set cert-probe-failure allow
end
next
end
|
