|
The solution is to import the CA certs of the certificate chain to the CA cert bundle.
Step 1: Enable the CA cert bundle from /etc/httpd/conf.d/ssl.conf.
On the collector, edit the file /etc/httpd/conf.d/ssl.conf.
Uncomment the following line:
SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
Save the file and restart the httpd service:
service httpd restart
Step 2: Test the error message using the curl tool:
curl https://hostname
It will show the self-signed error due to the CA chain self-signed:
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Step 3: Import the FortiGate certificate chain in the ca-bundle.
Back up the bundle.
cp /etc/pki/tls/certs/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt.ori
Now import the CA cert for the FGT FQDN.
Note: Use the CN name as FQDN, and create a host record if the DNS does not resolve it.
Download the certificate using the following command:
openssl s_client -connect FQDN:port -servername FQDN < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > FGT_CA.crt
Import FGT_CA.crt to CA bundle :
cat FGT_CA.crt >> /etc/pki/tls/certs/ca-bundle.cr
Step 4: Test again using curl.
Try the curl now it should not show the self-signed error.
curl https://FQDN
Step 5: Restart all collector services to apply the changes:
phtools --stop all
phtools --start all
Note: Ensure the restart has been approved and in a maintenance window to avoid impacting the service.
|
