Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
atomicweight
New Contributor

Certificate Errors Fortigate 70D

Hi all,

 

This has been an issue for quite sometime and I've put it on the back burner.  From time-to-time and only on a very few machines (dell optiplex 790's etc...) I will encounter security issues when trying to see our library website, facebook, and other common legit sites.  For example, I have several spare machines that I can deploy into the building when necessary.  Recently, I decided to get one of them and install Windows 10 with the media installation download from Microsoft.  The computer had Windows 8.1 at the time.  I noticed certificate errors almost everywhere I went.  I decided to go ahead and bring it up to Windows 10, which is now complete.  It's bare bones with 10 and Edge installed and that's about it.  I hopped onto the network and noticed the same thing right away....certificate errors.  The clock and global settings are correct, etc...  

 

This isn't an issue with any of the other 18 computers on the same network.  I noticed the error message reporting..."Fortinet" wasn't installed properly on your computer or the network:  NET::ERR_CERT_AUTHORITY_INVALID".  That gave me an idea.  I have a linksys router configured to pass the traffic in and out of the network in case the Fortigate fails, etc...  So, fired up the router and put the outside on the WAN and the inside on the LAN1 port - gave it a minute and then went to the computer that had the difficulty and there were no longer any certificate errors at all.  I reversed the above and put the cables back into the Fortigate and again had the certificate problems reappear.  Where could I look in the settings on the Fortigate to investigate where the cert errors are originating?  Thanks!!

 

Atomic

6 REPLIES 6
lobstercreed
Valued Contributor

Hi Bryan,

 

Have you tried accepting the certificate errors to navigate to the page?  Usually these errors come up when the FortiGate is blocking content for one reason or another, and that reason is usually explained on the page it is trying to present.

 

In these situations the FortiGate is essentially acting as a MiTM attack, presenting a different certificate (its own) than the browser is expecting (i.e. Facebook, your library, etc).  So it's not so much a matter of fixing the certificate error as fixing whatever is causing the block to happen.

 

Hope this helps!  Thanks - Daniel

 

P.S. what code version are you running?  There is a "bug" of sorts I encountered recently that might be part of why things are being blocked...

atomicweight
New Contributor

Thanks all... here's what I did.

 

Under Policy & Objects --> IPv4 Policy ---> There were several of my machines listed here from the network.  One of them was the one in question mentioned in my original post.  I deleted those entries and then tested the machine.  The certificate errors no longer occur.

 

Thanks again for the help!

Atomic

FirewallNoob

For anyone else who has this issue, same thing happened to me just yesterday. Only affected some sites, not all and happened out of the blue - absolutely NO changes (by us) were made to firewall, routing, DNS, etc...literally happened overnight.

The problem was, as lobstercreed suggested, the Fortigate was acting as a MiTM attack, intercepting the certificates of *some* sites for whatever reason (see attached image for what it would display).

The problem was the SSL inspection assigned to the firewall policy. It was set to "Certificate Inspection", which seems to be a default on our FG101F's, and that was causing the problem.

What is strange is we have two of the identical firewalls in two different states and we had NO problem with this on the other firewall despite having the exact same certificate inspection SSL setting. Anyway, I was able to get around it by creating a NEW SSL inspection configuration under "Security Configuration>SSL/SSH Inspection" and setting all settings to Allow. We do not have a CA and rely on FGT's built-in one but for some reason this really caused websites to freak-out. I don't completely understand why this happened out of nowhere, but that was the workaround and it fixed it immediately. It's easy enough to test now at least knowing I have a failsafe if if happens again, I will simply assign the "NoSSLInspection" security profile should it resurface. Hope that helps someone else.

FirewallNoob

It wont let me attach my SSL config/bypass pic. If someone wants it let me know maybe a bump will allow it.

[link]https://i.imgur.com/J3SLGmh.png[/link]

Paddy

Let's encrypt has a problem.  Call support.

FirewallNoob
New Contributor III

Paddy wrote:

Let's encrypt has a problem.  Call support.

Thanks, saw that. It applies to other CAs as well - there are workarounds here also:

https://kb.fortinet.com/k....do?externalID=FD49028

Labels
Top Kudoed Authors