Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gianlucats
New Contributor III

Created on ‎10-10-2024 12:51 AM

Certificate error in internal lan

Hi everybody.

I have the problem of receiving a privacy error when trying to access the 60F (firmware 7.6.0)  from lan.

The real problem is that blocked pages don't display the Fortigate correct blocking page.

I have done the Let's Encrypt ACME certificate and it works for connections out the lan. The privacy error is given because I use https://192.168.1.1 and the expected certificate is for xxxx.fortiddns.com (used for let's encrypt).

I have, clearly, imported Fortinet_CA_SSL certificate in user's endpoint.

I also tried to regenerate certificate and re-import it, without any change.

I have an identical device working on another site, with exactly same configuration that doesn't have this issue, I really can't undersand the reason and how solve it.

Thanks for helping.

Cattura.PNG

 

 

80
0 Kudos
4 REPLIES 4
pminarik
Staff
Staff

Created on ‎10-10-2024 02:03 AM Edited on ‎10-10-2024 02:09 AM

Let's Encrypt will not give you a certificate that is valid for an IP address, so accessing the FortiGate GUI over an IP (e.g. "https://1.2.3.4") is currently impossible with a LetsEncrypt-issued certificate.

 

For the certificate to be considered valid, you need to use an address that is included in the Certificate's SAN field (Subject Alternative Name), which in your case will probably be the xxx.fortiddns.com.

 

ref: https://community.letsencrypt.org/t/why-are-ip-certificate-not-available/196022

[ corrections always welcome ]
54
gianlucats
New Contributor III
In response to pminarik

Created on ‎10-10-2024 02:14 AM

thank you for answering.

I ask, then:

1) if you use Let's Encrypt then you can't use Fortigate's blocking pages?

2) Why another identical devices is working?

 

I'm confused :(

 

48
0 Kudos
pminarik
Staff
Staff
In response to gianlucats

Created on ‎10-10-2024 02:34 AM

What you see in the screenshot is not a block page by FortiGate.

That's just a general certificate warning page by the browser.

 

But if you're trying to use a LetsEncrypt certificate for UTM blocking (e.g. webfilter), don't bother trying. You need a CA certificate for inspection, and LE will not give you that either. (nobody will, you need to make your own, either brand new, or as a part of an existing PKI/CA structure that may already be in place)

 

Re 2): it's simply not possible. So it cannot actually be an identical setup. Review the details again, thoroughly.

[ corrections always welcome ]
43
gianlucats
New Contributor III
In response to pminarik

Created on ‎10-10-2024 03:16 AM

 

What's the let's encrypt certificate utility then?

29
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.