Hello,
i have issue when open some website like yahoo.com For example but not limited to ,from Chrome i found error below:
"The certificate for this site expires in 2017 or later, and the certificate chain contains a certificate signed using SHA-1".
what should to do to solve this issue ?
thanks
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
My guess is your unit is doing ssl offload to do one or more security features (IPS or Application control or HTTPS inspection or Antivirus or web filter or explicit proxy) , using an men in the middle approach. That’s fine, it is the common solution.
Some type of ssl old versions have been depreciated and chrome is giving warnings about that. With time, it will start to block it, forcing a manual override.
The problem is the certificate that forti unit is giving to the browser is using that old ssl version.
To resolve it, you need to put a new one with a newer ssl version in forti unit and in the pc’s.
The easier path is to upgrade the forti unit, since the newer versions have latest ssl version, and then reuse the GPO to put the newer certificate in all pc’s (no problem leaving the old one).
One last thing, both things have to be done at the same time, since you only have the certificate after the upgrade, and you will only have the clean https after the computers have the gpo with the certificate (before, you will have a nasty certificate not trustiest)
Search here for what others have done, but like I said it depends on OSes and enterprise.
Some opions you can do or search ;
1>Use a internal CAauth like microsoft
2> Deploy via a GPO push
3> provide a manual insert ( yes a lot of work if you have hundred of machines )
4> buy a trusted wildcard or single cert for your domain device(s) and install it
5> use a desktop support function MS/SCCM , LandDesk, to install the certificate for browsers as a trusted publisher
or have the end-user ignore the warning ( this bad practice btw )
Your options really depends on time, $$$, number of hosts, type-of-hosts ( unix/linux/windoze/mac/Mobile/ others ) and the work effort,
The bottom line is; " the internal Fortigate crt is not signed from a recognized CAauth"
So any modern browser is going to kick up that warning. Chrome is probably the most secure browser and warn just about on everything or anything.
What I've seen in the pass is most org buying a internal trusted * wildcard and trust it, or using a self-sign cert and trusting it from the MS CAauth-domain.
You have numerous avenues aand directions but only you can determine what you do and it depends on the above bold options.
Ken
PCNSE
NSE
StrongSwan
Thanks for this information,
as i remember when fortinet partner did setup to our device he import certificate via GPO that why when we are using internet explore the warning does not appear.
thanks again for your help
If you are configured in explcit proxy, update your fortigate to 5.2.6
Hi,
I do not use explicit proxy option.
Really i need your assistance.
thanks
Hello,
My guess is your unit is doing ssl offload to do one or more security features (IPS or Application control or HTTPS inspection or Antivirus or web filter or explicit proxy) , using an men in the middle approach. That’s fine, it is the common solution.
Some type of ssl old versions have been depreciated and chrome is giving warnings about that. With time, it will start to block it, forcing a manual override.
The problem is the certificate that forti unit is giving to the browser is using that old ssl version.
To resolve it, you need to put a new one with a newer ssl version in forti unit and in the pc’s.
The easier path is to upgrade the forti unit, since the newer versions have latest ssl version, and then reuse the GPO to put the newer certificate in all pc’s (no problem leaving the old one).
One last thing, both things have to be done at the same time, since you only have the certificate after the upgrade, and you will only have the clean https after the computers have the gpo with the certificate (before, you will have a nasty certificate not trustiest)
SHA-1 is rapidly being depreciated. Chrome, soon IE and Firefox, warn when depreciated certs are detected. You need to update your CA and sign a new cert for your Fortigate using at least SHA2 (SHA-256) and a 2048bit key to avoid messages such as this. Yahoo may be using a new cert, but your FG is still using a less secure one and that is what Chrome is detecting.
To verify, take a laptop and create a new unfiltered rule on your Fortigate. Browse to Yahoo through that, now disable that rule and try again ensuring traffic is filtered by the current rule you use. You should NOT get an error for the unfiltered connection. You should circle back with your integrator and figure out what he did. He may have used OpenSSL to self-sign your FG and then push out the CA he generated to all of your desktops via a GPO. This article shows how to do the Fortigate portion:
http://cookbook.fortinet.com/fortigate-cookbook-self-signed-certificates-5-2/
http://cookbook.fortinet.com/preventing-certificate-warnings/
Until you fix this you can disable SSL Deep inspection on the rule that is causing the problem. That will allow folks to browse normally until you fix the problem, but you won't be able to scan SSL traffic which is NOT a good idea these days. Making people happy while you resolve the issue is part of the risk analysis of working on things like this.
Hi all
Just hoping to find some answers.
This thread seems a bit all over the place.
I came here looking for a solution to SHA1 certificates being generated by our Fortigate for deep inspection of HTTPS sites.
Our Fortigate runs 5.2.3.
We have the same issue with deep inspection, it works but we are starting to get these errors too understandably as SHA-1 is being phased out.
I have replaced the default Fortigate CA cert (which was SHA-1) for deep inspection with a certificate that is SHA-2 (SHA-256) and with a 2048bit key.
However after the unencryption process when it generates the certificate for any SSL websites it generates them with SHA-1?
So therefore we get the https with a red cross through it in the address bar.
So currently it doesn't stop us using deep inspection but I know we are not far from the time when it will fail to load the sites because of this?
Does anybody currently use deep inspection and have it generate SH-2 certificates?
Are you on a newer firmware? Have you made another setting change in the fortigates config?
Have you put something specific in your CA to ensure it generates SHA-2 certificates during deep inspection process?
After upgrading to 5.2.8 and the red cross on the title bar did not appear again
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1647 | |
1071 | |
751 | |
443 | |
214 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.