Hi all,
This has been an issue for quite sometime and I've put it on the back burner. From time-to-time and only on a very few machines (dell optiplex 790's etc...) I will encounter security issues when trying to see our library website, facebook, and other common legit sites. For example, I have several spare machines that I can deploy into the building when necessary. Recently, I decided to get one of them and install Windows 10 with the media installation download from Microsoft. The computer had Windows 8.1 at the time. I noticed certificate errors almost everywhere I went. I decided to go ahead and bring it up to Windows 10, which is now complete. It's bare bones with 10 and Edge installed and that's about it. I hopped onto the network and noticed the same thing right away....certificate errors. The clock and global settings are correct, etc...
This isn't an issue with any of the other 18 computers on the same network. I noticed the error message reporting..."Fortinet" wasn't installed properly on your computer or the network: NET::ERR_CERT_AUTHORITY_INVALID". That gave me an idea. I have a linksys router configured to pass the traffic in and out of the network in case the Fortigate fails, etc... So, fired up the router and put the outside on the WAN and the inside on the LAN1 port - gave it a minute and then went to the computer that had the difficulty and there were no longer any certificate errors at all. I reversed the above and put the cables back into the Fortigate and again had the certificate problems reappear. Where could I look in the settings on the Fortigate to investigate where the cert errors are originating? Thanks!!
Atomic
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Bryan,
Have you tried accepting the certificate errors to navigate to the page? Usually these errors come up when the FortiGate is blocking content for one reason or another, and that reason is usually explained on the page it is trying to present.
In these situations the FortiGate is essentially acting as a MiTM attack, presenting a different certificate (its own) than the browser is expecting (i.e. Facebook, your library, etc). So it's not so much a matter of fixing the certificate error as fixing whatever is causing the block to happen.
Hope this helps! Thanks - Daniel
P.S. what code version are you running? There is a "bug" of sorts I encountered recently that might be part of why things are being blocked...
Thanks all... here's what I did.
Under Policy & Objects --> IPv4 Policy ---> There were several of my machines listed here from the network. One of them was the one in question mentioned in my original post. I deleted those entries and then tested the machine. The certificate errors no longer occur.
Thanks again for the help!
Atomic
For anyone else who has this issue, same thing happened to me just yesterday. Only affected some sites, not all and happened out of the blue - absolutely NO changes (by us) were made to firewall, routing, DNS, etc...literally happened overnight.
The problem was, as lobstercreed suggested, the Fortigate was acting as a MiTM attack, intercepting the certificates of *some* sites for whatever reason (see attached image for what it would display).
The problem was the SSL inspection assigned to the firewall policy. It was set to "Certificate Inspection", which seems to be a default on our FG101F's, and that was causing the problem.
What is strange is we have two of the identical firewalls in two different states and we had NO problem with this on the other firewall despite having the exact same certificate inspection SSL setting. Anyway, I was able to get around it by creating a NEW SSL inspection configuration under "Security Configuration>SSL/SSH Inspection" and setting all settings to Allow. We do not have a CA and rely on FGT's built-in one but for some reason this really caused websites to freak-out. I don't completely understand why this happened out of nowhere, but that was the workaround and it fixed it immediately. It's easy enough to test now at least knowing I have a failsafe if if happens again, I will simply assign the "NoSSLInspection" security profile should it resurface. Hope that helps someone else.
It wont let me attach my SSL config/bypass pic. If someone wants it let me know maybe a bump will allow it.
[link]https://i.imgur.com/J3SLGmh.png[/link]
Let's encrypt has a problem. Call support.
Paddy wrote:Thanks, saw that. It applies to other CAs as well - there are workarounds here also:Let's encrypt has a problem. Call support.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.