Created on 03-25-2024 03:52 AM Edited on 03-25-2024 03:55 AM By Jean-Philippe_P
Description |
This article describes how to let curl accept self-signed certificates.
FortiSIEM supervisor/collector can use the FORTIOS_REST_API protocol to interact with FortiGate.
phDiscover service then will use curl libraries to connect using HTTPS. The SSL connection will exchange certificates, and in some cases, if the FortiGate certificate is self-signed or one of the certificates in the certificate chain is self-signed, curl will refuse to make the connection.
On FortiSIEM, the connectivity test will fail with: '-902':'Restore failed, please try again'.
In phoenix.log, it will show the following error:
[PH_HTTP_CLIENT_CURL_ERROR]:[eventSeverity]=PHL_ERROR,[procName]=phDiscover,[fileName]=phHttpClient.cpp,[lineNumber]=938,[infoURL]=https://[ip]:443/api/v2/monitor/system/status/?access_token=[token],[phLogDetail]=curl error (60) Peer certificate cannot be authenticated with given CA certificates for method: GET |
Scope | FortiSIEM, Collector, FORTIOS_REST_API. |
Solution |
The solution is to import the CA certs of the certificate chain to the CA cert bundle.
Step 1: Enable the CA cert bundle from /etc/httpd/conf.d/ssl.conf. On the collector, edit the file /etc/httpd/conf.d/ssl.conf. Uncomment the following line:
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
Save the file and restart the httpd service:
service httpd restart
Step 2: Test the error message using the curl tool:
curl https://hostname
It will show the self-signed error due to the CA chain self-signed: curl: (60) SSL certificate problem: self signed certificate in certificate chain curl failed to verify the legitimacy of the server and therefore could not
Step 3: Import the FortiGate certificate chain in the ca-bundle. Back up the bundle.
cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.ori
Now import the CA cert for the FGT FQDN.
Note: Use the CN name as FQDN, and create a host record if the DNS does not resolve it.
Download the certificate using the following command:
openssl s_client -connect FQDN:port -servername FQDN < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > FGT_CA.crt
Import FGT_CA.crt to CA bundle :
cat FGT_CA.crt >> /etc/pki/tls/certs/ca-bundle.cr
Step 4: Test again using curl. Try the curl now it should not show the self-signed error.
curl https://FQDN
Step 5: Restart all collector services to apply the changes: phtools --stop all
Note: Ensure the restart has been approved and in a maintenance window to avoid impacting the service. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.