|
Users may notice certificate warnings for deep-inspected sessions after the FortiOS firmware upgrade to v7.6.3. This is due to the re-signed server certificate provided by FortiGate has expired and not been renewed automatically.
This issue relates to the certificate manager feature change introduced in v7.6.3. The new option 'resigned-short-lived-certificate' feature is not working properly with certificate cache-timeout.
From v7.6.3, the resigned server certificate will be valid for 3 days after the date when it is resigned. The validation period is shortened to 3 days (4 days if the re-signing day is included) on purpose for security concerns.
This issue has been addressed in internal ticket 1159963 and fixed in versions v7.6.4 and higher.
To fix the issue without an upgrade, below workaround can be applied:
Workaround 1:
Step1:
config firewall ssl setting
set resigned-short-lived-certificate disable
end
Step 2:
Restart the WAD process using 'diagnose test application wad 99'.
Note:
Restarting the WAD process disrupts proxy-based inspection. Users may notice some seconds of disruption.
When set resigned-short-lived-certificate disable, the re-signed certificate will have a valid period of 1 year starting from the 'valid from' date in the original certificate (the same behavior as earlier versions).
Verification:
Post workaround, once connected to a website, review the Server Certificate 'Validity Period' attribute. It should have the updated valid Expiry Date of the issued Server Certificate from the FortiGate.
Note:
Post changes, when accessing certain websites, the following error may show in the client's browser: 'You are attempting to import a cert with the same issuer/serial as an existing cert, but that is not the same cert
Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL'
For this specific issue, a reboot of the client device may be required.
Workaround 2:
Use a Firewall policy with Flow-mode instead of Proxy-mode.
Related article:
Technical Tip: Changing the inspection mode of the firewall
|
