Hi everybody.
I have the problem of receiving a privacy error when trying to access the 60F (firmware 7.6.0) from lan.
The real problem is that blocked pages don't display the Fortigate correct blocking page.
I have done the Let's Encrypt ACME certificate and it works for connections out the lan. The privacy error is given because I use https://192.168.1.1 and the expected certificate is for xxxx.fortiddns.com (used for let's encrypt).
I have, clearly, imported Fortinet_CA_SSL certificate in user's endpoint.
I also tried to regenerate certificate and re-import it, without any change.
I have an identical device working on another site, with exactly same configuration that doesn't have this issue, I really can't undersand the reason and how solve it.
Thanks for helping.
Solved! Go to Solution.
The webfilter block page will be using some CA certificate, which cannot be a LE-issued certificate. The default is Fortinet_CA_SSL. Importing this CA as a trusted root into your client PCs will make the block-page work without warnings. So this part is working as expected.
However, for the admin GUI, if you're using a LE-issued certificate, trusting the Fortinet_CA_SSL is not relevant, as the GUI certificate is now issued by LE, not by Fortinet_CA_SSL.
Let's Encrypt will not give you a certificate that is valid for an IP address, so accessing the FortiGate GUI over an IP (e.g. "https://1.2.3.4") is currently impossible with a LetsEncrypt-issued certificate.
For the certificate to be considered valid, you need to use an address that is included in the Certificate's SAN field (Subject Alternative Name), which in your case will probably be the xxx.fortiddns.com.
ref: https://community.letsencrypt.org/t/why-are-ip-certificate-not-available/196022
thank you for answering.
I ask, then:
1) if you use Let's Encrypt then you can't use Fortigate's blocking pages?
2) Why another identical devices is working?
I'm confused :(
What you see in the screenshot is not a block page by FortiGate.
That's just a general certificate warning page by the browser.
But if you're trying to use a LetsEncrypt certificate for UTM blocking (e.g. webfilter), don't bother trying. You need a CA certificate for inspection, and LE will not give you that either. (nobody will, you need to make your own, either brand new, or as a part of an existing PKI/CA structure that may already be in place)
Re 2): it's simply not possible. So it cannot actually be an identical setup. Review the details again, thoroughly.
What's the let's encrypt certificate utility then?
Created on 10-10-2024 06:27 AM Edited on 10-10-2024 06:29 AM
LE will happily issue a certificate for a specific domain, e.g. myfgt.mydomain.com.
You can use that certificate for the FortiGate GUI, but for your browser to trust it, you must type in the address as https://myfgt.mydomain.com when accessing the FGT, using the bare IP will not match the certificate and trigger a certificate warning.
This is a general fact of life about certificate trust and browsers. Nothing about this information is Fortinet-specific, FYI.
Thank you for the patience.
But as you see in the other enviroment there is not the same problem. LE certificate in Settings, Fortinet CA ssl certificate in user pc.
That's what I don't understand.
Well the question then is: what have I to do to make working the blocking pages?
Thank you so much.
HI !
Thank you once again for your explainations.
I found the problem...
I was testing web filtering using two spare computers. The problem is given only on them (not on others... not tried everyone but ten on less or more uone hundred)
Cant't believe. Will try to understand why (one w10 other w11..)
Thank you again.
At least once installed fortinet_cs_ssl certificate it work well.
The webfilter block page will be using some CA certificate, which cannot be a LE-issued certificate. The default is Fortinet_CA_SSL. Importing this CA as a trusted root into your client PCs will make the block-page work without warnings. So this part is working as expected.
However, for the admin GUI, if you're using a LE-issued certificate, trusting the Fortinet_CA_SSL is not relevant, as the GUI certificate is now issued by LE, not by Fortinet_CA_SSL.
Exactly, now I understand (better late than never we say in Italy).
Thank you!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.