I'm a novice with this, but I have web filters enabled and still having trouble reaching a few government sites, for example www.pittsburghca.gov. But others, like [link]https://www.dmv.ca.gov[/link] work fine. I've explicitly allowed the blocked sites and still same error:
This Connection is Invalid. SSL certificate expired.
A secure connection to www.pittsburgca.gov cannot be established.
When you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
Sitewww.pittsburgca.govCertificate CNsan-g2.granicusgovaccess.netCertificate AuthorityR3Certificate Validity
Not Before: Sep 20 16:46:45 2021 GMT
Not After: Dec 19 16:46:44 2021 GMT
What am I missing? And remember, I'm a real novice with the Fortinet equipment (new job, this is what they had in place) so explain to me like I'm a 5 year old. It's a Fortigate 100E with firmware v7.0.1 build0157 (GA). Thanks!
use a lets'encrypt issued certificate. There is a problem since yesterday for letsencrypt issued certificates.. Using flow-based mode could help... We are using an explicit proxy so I think we have to use proxy-based mode.
Here is what happens:
They use Let's Encrypt Certs for their server as well.
they send the complete chain with an "ISRG Root X1"
Fingerprint SHA256: 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f
which is signed by the DST Root CA X3 expired yesterday.
The factory default trusted store on FortiOS contains the old, expired
fortigw (ca) # get DST_Root_CA_X3 name : DST_Root_CA_X3 ca : Subject: O = Digital Signature Trust Co., CN = DST Root CA X3 Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3 Valid from: 2000-09-30 21:12:19 GMT Valid to: 2021-09-30 14:01:15 GMT Fingerprint: 41:03:52:DC:0F:F7:50:1B:16:F0:02:8E:BA:6F:45:C5 Root CA: Yes Version: 3 Serial Num: 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b Extensions: Name: X509v3 Basic Constraints Critical: yes Content: CA:TRUE
So the Fortigate simply follows the path suggested by the webservers' chain and fails verification.
I would not say this is a bug incorrect but would consider it as misconfiguration of the webservers cert chain.
If the server admin would simply remove the x1 cert from the chain, the FG would use the built in, new X1 CA and could verify successfully.
The only was FN could resolve the issues is by
not only follow the path suggested by the servers' chain,
but check any cert against the factory and user trusted certs as well.
Well.. this explanains the errors, but it does not help to get the websites unblocked
until the server admins correct their configs.
As a bad workaround I have set "allow" expired certificate in the ssl inspection for the moment :(