Solution |
For the Block page showing 'err_ssl_server_cert_bad_format', check the HTTPS server page on the FortiGate.
It is also possible to download the certificate and check with 3rd party tools.
Here are few examples:
- With the FortiGate Self-signed certificate without issue:
Certificate: Data: Version: 3 (0x2) Serial Number: xxxxxxxxxxxxxxxxxxxxxxxx (0x18021b6b2b087d41) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=FGxxxxxxxxxxxxxxxxxxx/emailAddress=support@fortinet.com Validity Not Before: Jul 9 07:24:49 2024 GMT Not After : Jul 8 02:01:24 2034 GMT Subject: C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=xxxx.com/emailAddress=support@fortinet.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment X509v3 Subject Alternative Name: DNS:xxxx.com
- Using the CA certificate without issue:
Certificate: Data: Version: 3 (0x2) Serial Number: xxxxxxxxxxxxxxxxxxxxxxxx Signature Algorithm: sha256WithRSAEncryption Issuer: C=HK, ST=Hong Kong, L=Hong Kong, O=LCSD, OU=ITO, CN=xxxxxxxxxxxxxxxxxxxxxxxx/emailAddress=networkadmin@xxxxxx Validity Not Before: Dec 18 02:56:08 2019 GMT Not After : Dec 15 02:56:08 2029 GMT Subject: C=HK, ST=Hong Kong, L=Hong Kong, O=LCSD, OU=ITO, CN=xxxxxxxxxxxxxxxxxxxxxxxx/emailAddress=networkadmin@xxxxxx Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus:.....
Using a customized certificate having an issue:
Certificate: Data: Version: 1 (0x0) Serial Number: xxxxxxxxxxxxxxxxxxxxxx Signature Algorithm: sha256WithRSAEncryption Issuer: C=HK, ST=HK, L=HK, O=xxxx, OU=xxx, CN=xxxx.com/emailAddress=xxxx@xxxx.com Validity Not Before: Mar 13 03:33:23 2017 GMT Not After : Mar 11 03:33:23 2027 GMT Subject: C=xx, ST=xx, L=xx, O=xxxx, OU=xxx, CN=xxxx.com/emailAddress=xxxx@xxxx.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: .......
The difference between the two certificates is their version difference. Since the browser Chrome does not allow version 1, the error 'err_ssl_server_cert_bad_format' in the block page will be received.
The issue is not with the FortiGate since the certificate error is given by Chrome.
To resolve this, either use the default self-signed certificate or regenerate a new HTTPS server certificate with version 3 for FortiGate.
|