Created on 07-13-2023 02:54 AM Edited on 02-26-2024 05:26 AM By Kate_M
Hi,
I have set up virtual server with full ssl offloading. Everything is working fine but when I check our website by ssl checker for example https://www.digicert.com/help/ it says that the server is not sending the required intermediate certificate. Anybody know how to fix it? The problem is that Bluemedia cannot correct ask our webserver because it gets error "Unable to find valid cerification path to requested target".
I have already tried to upload .pfx with certificate, intermediate certificate, private key etc. and it still does not work.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
FYI, I downgraded fortios to 6.4.14 and it works! So it seems like it is bug in FortiOS 7.4.0. I will check if the same problem is also on fortios 7.2.5
Hello,
As far as I understand FortiGate is not sending certificate chain. If I understand correctly I would recommend to check whether all intermediate certificates in the chain are imported to FortiGate (GUI: system - certificates).
Done it as well. Both under Remote CA Certificates and Remote Certificates. Any other ideas?
Hello,
Please make sure that root CA is imported under Remote CA Certificates.
You may also consider to reboot FortiGate, clear the browser cache and try to navigate to the web-site and check in the browser whether full chain is sent.
root CA is imported because when I try to import it I'm getting duplicate error.
It's not browser cache because few websites show the same result.
Box reload may solve issue?
Hello,
You may consider to reboot the unit or restart wad "diagnose test application wad 99".
Still the same issue after performing restart command.
Hello,
You may also consider to check in FortiGate GUI (GUI: system - certificates) whether all certificates are valid (status: Valid).
All are valid.
The error says that the intermediate is missing or is not the right one? There are some cases when you still have a valid Intermediate certificate listed in your trust chain but the intermediate certificate is not the right one (Cross-Signing). Modern browsers tend to auto correct this behavior and you don't get any warnings, some other systems are not that friendly with it.
You can test the same chain of certs you have uploaded in FGT to another web server or check the certificate chain files with openssl tool:
openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.