Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
François
New Contributor III

Fortiauthenticator 6.01

Dear all,

Since 18 months i use Fortiauthenticator 6.01 without trouble but since few days Fortiauthenticator can't send email with Office365.

I open a ticket but at this time no solution to fix it.

The error message is :

"smtp starttls: verify peer certificate: unable to get local issuer certificate"

and the second:

"smtp mail: failed send to aaaaaa.bbbbbb@soxxxxx.com via smtp.office365.com:587"

 

I deleted certificate Office365 and i created a new but no good result. 

To create certificate i exported root certificate X.509 Base 64.cer and i exported intermediate certificate in the same format. I created a new text file and i put root certificate and intermediate certificate inside the text file.

I imported in fortiauthenticator.

 

I try another method for certificate, import directly root certificate and second step import directly intermediate certificate. Same trouble.

I don't understand where is the problem and i don't understand why the error message speak about "unable to get local issuer certificate" why Local ? in my brain i think it's a remote certificate.

 

Thank you for your help and sorry for my english :)

 

Best regards,

François

4 REPLIES 4
xsilver_FTNT
Staff
Staff

Hi,

it might happened that office365 change their certs and/or even root CA. I'm not sure at the moment. But it has then nothing to do with FAC (FortiAuthenticator) as that could not be foreseen on FAC side.

I would suggest to follow those steps to check situation:

 

1. check certs of office365 via attempt to open STARTTLS conenction :

run: openssl s_client -starttls smtp -connect smtp.office365.com:587 -crlf

 

example output I got right now (2020-09-10@11:10 GMT+0200):

---

$openssl s_client -starttls smtp -connect smtp.office365.com:587 -crlf CONNECTED(00000003) depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G3 verify error:num=20:unable to get local issuer certificate --- Certificate chain 0 s:C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G3 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G3 i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA --- Server certificate -----BEGIN CERTIFICATE----- MIIIqzCCB5OgAwIBAgIMbeoL4ZcnYKFZsYVgMA0GCSqGSIb3DQEBCwUAMGYxCzAJ BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g RzMwHhcNMjAwODEzMjMxODQ5WhcNMjIwODE0MjMxODQ5WjBqMQswCQYDVQQGEwJV UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMRQwEgYDVQQDEwtvdXRsb29rLmNvbTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMkgP1e5+XGqPGoKXT/JjZml UCYlTtxpUrMzcOdyooOSVNHUhhXyxGX4vOXSHhIlnnWOd9KOlMoDS/TIyuPjm2aj oTd0zP7EHmTc4xi6wXs5W7FH6RGS7+7mCM2TewnHOf7l4kc/aHikF3gTyxI4nYkr H3Wbh11T/LAqry2GinY7zl6uQ3Rowyi/EC/d2UNLLabcH22Q0M4UHmzcewbke6mB QO3eGLffU2G8GIMRx7Qbme8U5GM541wv54lYW9oDOjmWispP2ONsf27T5zA0nNuL 6GqmCHcdY9ZXnc2nRwU5lnv9mgmZ70mxiQK+T7jvoAQpdPuafp2oEPt+sGxgT1cC AwEAAaOCBVMwggVPMA4GA1UdDwEB/wQEAwIFoDCBngYIKwYBBQUHAQEEgZEwgY4w SwYIKwYBBQUHMAKGP2h0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0 L2dzb3JnYW5pemF0aW9udmFsc2hhMmczLmNydDA/BggrBgEFBQcwAYYzaHR0cDov L29jc3AyLmdsb2JhbHNpZ24uY29tL2dzb3JnYW5pemF0aW9udmFsc2hhMmczMFYG A1UdIARPME0wQQYJKwYBBAGgMgEUMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3 Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECAjAJBgNVHRMEAjAA MEYGA1UdHwQ/MD0wO6A5oDeGNWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3Nv cmdhbml6YXRpb252YWxzaGEyZzMuY3JsMIICEAYDVR0RBIICBzCCAgOCC291dGxv b2suY29tghYqLmNsby5mb290cHJpbnRkbnMuY29tgg0qLmhvdG1haWwuY29tghYq LmludGVybmFsLm91dGxvb2suY29tggoqLmxpdmUuY29tghYqLm5yYi5mb290cHJp bnRkbnMuY29tggwqLm9mZmljZS5jb22CDyoub2ZmaWNlMzY1LmNvbYINKi5vdXRs b29rLmNvbYIXKi5vdXRsb29rLm9mZmljZTM2NS5jb22CG2F0dGFjaG1lbnQub3V0 bG9vay5saXZlLm5ldIIdYXR0YWNobWVudC5vdXRsb29rLm9mZmljZS5uZXSCIGF0 dGFjaG1lbnQub3V0bG9vay5vZmZpY2VwcGUubmV0ghZhdHRhY2htZW50cy5vZmZp Y2UubmV0ghphdHRhY2htZW50cy1zZGYub2ZmaWNlLm5ldIIdY2NzLmxvZ2luLm1p Y3Jvc29mdG9ubGluZS5jb22CIWNjcy1zZGYubG9naW4ubWljcm9zb2Z0b25saW5l LmNvbYILaG90bWFpbC5jb22CFm1haWwuc2VydmljZXMubGl2ZS5jb22CDW9mZmlj ZTM2NS5jb22CEm91dGxvb2sub2ZmaWNlLmNvbYIUc3Vic3RyYXRlLm9mZmljZS5j b22CGHN1YnN0cmF0ZS1zZGYub2ZmaWNlLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcD AQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUaIa4fXrZbUlrhy8YixU0bNe0eg4wHQYD VR0OBBYEFIp8c0RwqE2DJW+mU9pCUpbJFXEhMIIBfAYKKwYBBAHWeQIEAgSCAWwE ggFoAWYAdgAiRUUHWVUkVpY/oS/x922G4CMmY63AS39dxoNcbuIPAgAAAXPqHn0v AAAEAwBHMEUCIQD0UI/nOMl60ff3acUF6o4DgCyHBgO2m+algy+5r3u0rAIgUaaP 6OVsp/8WAX4VQhEx3NzHN3xkLKzdQrs8eTF0zJ0AdQApeb7wnjk5IfBWc59jpXfl vld9nGAK+PlNXSZcJV3HhAAAAXPqHnqnAAAEAwBGMEQCIAPxGdcPL8SphKAz1Ham 7vGu4APnrphDF7AP+xK7E9o0AiAQ5qkdixxk1Mn3wD08d0mxCD0dXjT52RB8dGsY xl5tBwB1AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABc+oefa4A AAQDAEYwRAIgJiFk26biPTJ9n6iutym3QptJqvWlwBIBobbn8gHUL0UCIE4Zukd1 i0nXS7oEYt2it2sF0AEffDYXJymyFxx/EIGKMA0GCSqGSIb3DQEBCwUAA4IBAQAm 9KN3HdyexBqIIzCM4RT5Yg6/rSTJq6vQaIu88ewc0Jat+V/d4O6o4Cw6GaVoDG7+ 5oDOoztsAIhcvzzYaAg2uZ6Em1+X+3fqcvtzRwCwqHxkOPHMwClxZ2V2TIBYl8hi Yz7xPsAOSF9VIY+WaL1BFHoLjDFbOayjoJlYJPrZGTIcny2p7bmXpGYwKdiCovX8 bRDxrB0/+96hDraEkNRVXCEbHyFFksWaRwUPuBx4brlro6mNsVn/9OZxdzgS/kGP BJIIPzIqkl4Ke34E7iQQOfOsXgSTkaKPkAQzXFyUs4ArQ7/jdGQg9ACybHuod/t0 Nc7dtl+DGMTnMRqNMA3E -----END CERTIFICATE----- subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com

issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G3

--- No client certificate CA names sent Client Certificate Types: RSA sign, DSA sign, ECDSA sign Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512 Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: ECDH, P-384, 384 bits --- SSL handshake has read 4289 bytes and written 523 bytes Verification error: unable to get local issuer certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: 752700007D7CD576813827FEEFAE411C690BA3FB38E19E7BE9A3CDCF03694139 Session-ID-ctx: Master-Key: 092660AE886FEC3E6AFCA59BF01A33317FACED7BA9C71A01F5DBB611009898F8ED37C143FB51ECCCBEB914A8226B5057 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1599728137 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) Extended master secret: yes --- 250 SMTPUTF8 DONE

 

 

2. add GlobalSign Root CA - R1 as truster outer root CA cert into FAC

 

3. test emails (I guess you kept mail service settings intact, so we just added right cert from top of the chain as trusted).

 

4. if it is still not working, then visit support.fortinet.com and open technical trouble ticket with TAC and one of the engineers will assist you.

 

Tom xSilver, planet Earth, over and out!

François

Dear Tomas,

 

Thank you for all informations you gave me.

With this information i found the trouble and fix it.

 

When i setup the Fortiauthenticator in june 2019 i imported certifcate.

At the begin of the certificate i added root certificate and just after i added intermediate certificate.

 

Today i did with another process. 

I search with google : GlobalSign Root CA - R1 and i found 

GlobalSign Root CA - R1

Expected page status: Valid

CN=GlobalSign Root CA OU=Root CA O=GlobalSign nv-sa C=BE Serial number=04 00 00 00 00 01 15 4b 5a c3 94 Valid from=01 September 1998 Valid to=28 January 2028 Download url=http://secure.globalsign.com/cacert/root-r1.crt Base64

-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
-----END CERTIFICATE-----

I imported this certificate and now all is working fine.

Thank you a lot for time you take to help me.

Best regards,
François
xsilver_FTNT

Hi François,

 

good to hear you fixed it.

If my answer helped you, give it a stars.

 

Tom xSilver, planet Earth, over and out!

badger
New Contributor

Thanks for this, helped me resolve secure email with gmail. This really should be in the manual.