Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
serveradmin
New Contributor III

Created on ‎07-13-2023 02:54 AM Edited on ‎02-26-2024 05:26 AM By Community Manager

Intermediate certificate

Hi,

I have set up virtual server with full ssl offloading. Everything is working fine but when I check our website by ssl checker for example https://www.digicert.com/help/ it says that the server is not sending the required intermediate certificate. Anybody know how to fix it? The problem is that Bluemedia cannot correct ask our webserver because it gets error "Unable to find valid cerification path to requested target".

 

I have already tried to upload .pfx with certificate, intermediate certificate, private key etc. and it still does not work.

Labels:
8198
1 Solution
serveradmin
New Contributor III
In response to ebilcari

Created on ‎07-17-2023 04:15 AM

Hi,

 

FYI, I downgraded fortios to 6.4.14 and it works! So it seems like it is bug in FortiOS 7.4.0. I will check if the same problem is also on fortios 7.2.5

View solution in original post

7885
24 REPLIES 24
serveradmin
New Contributor III
In response to ebilcari

Created on ‎07-13-2023 05:27 AM Edited on ‎07-13-2023 05:29 AM

This is how it looks like.

 

1.png

2903
0 Kudos
ebilcari
Staff
Staff
In response to serveradmin

Created on ‎07-14-2023 01:41 AM

From the snapshot it looks like the intermediate certificate is completely missing.

Can you run the ssl tool somewhere and check with this command:

openssl s_client -connect www.test.eu:443    <--replace the domain here

It will give more details for the Certificate chain presented by FGT

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
2863
0 Kudos
serveradmin
New Contributor III
In response to ebilcari

Created on ‎07-14-2023 02:22 AM Edited on ‎07-14-2023 03:25 AM

CONNECTED(00000003)
depth=0 CN = *.motoflota.pl
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.motoflota.pl
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=*.motoflota.pl
i:/C=US/O=DigiCert, Inc./CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHlzCCBX+gAwIBAgIQDkQozMAXGBAzjgLmVnjfhzANBgkqhkiG9w0BAQsFADBc
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xNDAyBgNVBAMT
K1JhcGlkU1NMIEdsb2JhbCBUTFMgUlNBNDA5NiBTSEEyNTYgMjAyMiBDQTEwHhcN
MjMwMTI2MDAwMDAwWhcNMjQwMjA2MjM1OTU5WjAZMRcwFQYDVQQDDA4qLm1vdG9m
bG90YS5wbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJz1HxzZ8S9h
l5rUpIUfMLTcJFO68bATFhZ557wDGCWEQBsu2kTw5M7pQ3tyw34fVRk3gqkVZqjO
gXV5GS9KwfFGoB6CK++ESSi5MGXTaQlv7Wz0buGGKKn6HA+EqAWItG6ZZ/Fk+Y3n
V1vG7A9zeTXbs6Jgtu+fXSVcUGTOzXnPjiFJHpWGPE2aJ8Z/pdYdO8ssTtG/l2WV
PPr9ldnibO/+yVy07SGA5id+lchC7QoMNfG+WuJaF9baAim8IAsIgph+KF16Vu5G
BKxGCfFgU32BJ4nOYNJZZv1+yHCIBhkvmchDtgFpDjq7J9mhK3IAuy5k4N80H+Iz
aLw7rbZqCpsCAwEAAaOCA5YwggOSMB8GA1UdIwQYMBaAFPCchf2in32PyWi71dSJ
TR2+05D/MB0GA1UdDgQWBBSKOf0rvCud9WniH980xEo9F3PJ8DAnBgNVHREEIDAe
gg4qLm1vdG9mbG90YS5wbIIMbW90b2Zsb3RhLnBsMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgZ8GA1UdHwSBlzCBlDBIoEag
RIZCaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL1JhcGlkU1NMR2xvYmFsVExTUlNB
NDA5NlNIQTI1NjIwMjJDQTEuY3JsMEigRqBEhkJodHRwOi8vY3JsNC5kaWdpY2Vy
dC5jb20vUmFwaWRTU0xHbG9iYWxUTFNSU0E0MDk2U0hBMjU2MjAyMkNBMS5jcmww
PgYDVR0gBDcwNTAzBgZngQwBAgEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5k
aWdpY2VydC5jb20vQ1BTMIGHBggrBgEFBQcBAQR7MHkwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBRBggrBgEFBQcwAoZFaHR0cDovL2NhY2Vy
dHMuZGlnaWNlcnQuY29tL1JhcGlkU1NMR2xvYmFsVExTUlNBNDA5NlNIQTI1NjIw
MjJDQTEuY3J0MAkGA1UdEwQCMAAwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB2
AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABhe2UZFoAAAQDAEcw
RQIgeZvzfL1bL5dd7wHLsp1vhKRI/ALakGpX1YKf6zyEbcoCIQCL2Ac6572PM9mw
J2xoHesGRaThJcoBGVvQG7FX321OxwB2AHPZnokbTJZ4oCB9R53mssYc0FFecRkq
jGuAEHrBd3K1AAABhe2UZJEAAAQDAEcwRQIgSc2MaP/dGuaPGB4wnAd3tlsdkUe2
UvuwR+TRJI8Avm8CIQCMeF+d9nuNsXCELwwpsEMXmp0H8yO76UtQl**bleep**IevwjwB3
AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABhe2UZEoAAAQDAEgw
RgIhAPxfDkr734ub923a51uc464LwpFxi4BTHbwlnGhiQ3JLAiEA5mYmwAve7gCw
EetxDZeiy3n+cFYYW/JVnYHPuOt4VlAwDQYJKoZIhvcNAQELBQADggIBAD1O2/3I
GhvRvoUer4wWXAfqd1qKfB+ukjfh0BlSmbCcazZ7EtVgosapbXZ21ByOD4be3sxf
xSNCx4HacgsLLdMrjKlmIgAGhh2tW0fhId6sbQAommD+bNG6IAmkNv8v8hcS1TMC
lLIKqNkrLqmkvoz8DEYoKKWdyLIR2E1K1YHKSroIqEYh3Cl/Kr+h0nHofScYFLky
lWygZHUjbTzjt/WgFnP5DqYp3uud4tnCMzQPzwvPDeIpOSrz0iGpvhqbFLJr5x+6
SNjCrwnLC1cdN9meqRgJL19p8UNZQwcVg+7DvCm0RCJUi17VfVU5HbiUO6Wfe79F
jN4hWRDL92jzTBIk3eMnobP+WMPsRtTI7oP2gbXiVvcu0wqP1hkQqVPfAA8fIiaZ
LKXei2/BFL9CPtA7/rTy0yHO7X7tugw5DwbKcVUOG0+q8PxnmmNkdh20SW9z2aVO
mX+88x/cRtM7Ac1WfZ+QqX+LbavGx9ah2S9LIFc+VKpOT3J44vYBuslVh7TSUVb/
gPYiC4cwL4eue4IzdPA7YAMRmiBHZuW2LyR9aBj2gfSpUhsE9OOYILecG5FojDSH
VwnImPtLd1NOKinaxSRGmiRVPPcqYnM5NjeTGIrykrEAKmC9TZ01GZZKhzpsOjkL
zzpXhFpb+mMGgRLsMGv2hTRQm/EBfwsftDD+
-----END CERTIFICATE-----
subject=/CN=*.motoflota.pl
issuer=/C=US/O=DigiCert, Inc./CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1
---
No client certificate CA names sent
Peer signing digest: SHA384
Server Temp Key: ECDH, P-521, 521 bits
---
SSL handshake has read 2635 bytes and written 487 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 01DCB884A0DD9BF85ED6DFD18F5A0888A66F2F0152B7EFC7ADFF24BB840A920F
Session-ID-ctx:
Master-Key: 57130A239690D3DC2F84363E4E6A441003D49792A74FD0062213AD569B7C676F3B9CF4AE638B9EB459BB750DEFFD6303
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - eb 0c db d5 8f 8e 46 45-ff d0 f6 77 bb 9a 5b c4 ......FE...w..[.
0010 - 16 ab d9 f6 a3 ed 40 c3-d1 2e 26 35 94 79 93 77 ......@...&5.y.w
0020 - 53 26 c9 92 53 c7 1f 2c-5f 55 53 70 44 80 84 a1 S&..S..,_USpD...
0030 - b3 fc fb 65 19 fd 0c a2-93 94 e9 db d6 61 8b dd ...e.........a..
0040 - 40 af b1 e1 dd 03 5e 0d-28 ab c3 e7 e0 fb 13 03 @.....^.(.......
0050 - 4c 4c a9 ef 9f 9f 41 67-56 8b 1e ac 03 bc b1 b5 LL....AgV.......
0060 - 3c b4 0f 4c 86 0e 88 a9-29 db 19 cf 2c 8d 78 a4 <..L....)...,.x.
0070 - 98 e1 5c 2b 54 14 a5 49-e6 02 7a c5 81 29 bf 64 ..\+T..I..z..).d
0080 - 35 ec ec 2e ad 45 48 8c-4b 4b c5 d0 08 dd 7d 10 5....EH.KK....}.

Start Time: 1689330086
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

2854
0 Kudos
serveradmin
New Contributor III
In response to serveradmin

Created on ‎07-14-2023 03:02 AM Edited on ‎07-14-2023 03:24 AM By Moderator

FYI, configured as virtual IP everything is working fine, here is output.

 

CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = "DigiCert, Inc.", CN = RapidSSL Global TLS RSA4096 SHA256 2022 CA1
verify return:1
depth=0 CN = *.motoflota.pl
verify return:1
---
Certificate chain
0 s:/CN=*.motoflota.pl
i:/C=US/O=DigiCert, Inc./CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1
1 s:/C=US/O=DigiCert, Inc./CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHlzCCBX+gAwIBAgIQDkQozMAXGBAzjgLmVnjfhzANBgkqhkiG9w0BAQsFADBc
MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xNDAyBgNVBAMT
K1JhcGlkU1NMIEdsb2JhbCBUTFMgUlNBNDA5NiBTSEEyNTYgMjAyMiBDQTEwHhcN
MjMwMTI2MDAwMDAwWhcNMjQwMjA2MjM1OTU5WjAZMRcwFQYDVQQDDA4qLm1vdG9m
bG90YS5wbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJz1HxzZ8S9h
l5rUpIUfMLTcJFO68bATFhZ557wDGCWEQBsu2kTw5M7pQ3tyw34fVRk3gqkVZqjO
gXV5GS9KwfFGoB6CK++ESSi5MGXTaQlv7Wz0buGGKKn6HA+EqAWItG6ZZ/Fk+Y3n
V1vG7A9zeTXbs6Jgtu+fXSVcUGTOzXnPjiFJHpWGPE2aJ8Z/pdYdO8ssTtG/l2WV
PPr9ldnibO/+yVy07SGA5id+lchC7QoMNfG+WuJaF9baAim8IAsIgph+KF16Vu5G
BKxGCfFgU32BJ4nOYNJZZv1+yHCIBhkvmchDtgFpDjq7J9mhK3IAuy5k4N80H+Iz
aLw7rbZqCpsCAwEAAaOCA5YwggOSMB8GA1UdIwQYMBaAFPCchf2in32PyWi71dSJ
TR2+05D/MB0GA1UdDgQWBBSKOf0rvCud9WniH980xEo9F3PJ8DAnBgNVHREEIDAe
gg4qLm1vdG9mbG90YS5wbIIMbW90b2Zsb3RhLnBsMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwgZ8GA1UdHwSBlzCBlDBIoEag
RIZCaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL1JhcGlkU1NMR2xvYmFsVExTUlNB
NDA5NlNIQTI1NjIwMjJDQTEuY3JsMEigRqBEhkJodHRwOi8vY3JsNC5kaWdpY2Vy
dC5jb20vUmFwaWRTU0xHbG9iYWxUTFNSU0E0MDk2U0hBMjU2MjAyMkNBMS5jcmww
PgYDVR0gBDcwNTAzBgZngQwBAgEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5k
aWdpY2VydC5jb20vQ1BTMIGHBggrBgEFBQcBAQR7MHkwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBRBggrBgEFBQcwAoZFaHR0cDovL2NhY2Vy
dHMuZGlnaWNlcnQuY29tL1JhcGlkU1NMR2xvYmFsVExTUlNBNDA5NlNIQTI1NjIw
MjJDQTEuY3J0MAkGA1UdEwQCMAAwggF/BgorBgEEAdZ5AgQCBIIBbwSCAWsBaQB2
AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FIWUZxH7WbAAABhe2UZFoAAAQDAEcw
RQIgeZvzfL1bL5dd7wHLsp1vhKRI/ALakGpX1YKf6zyEbcoCIQCL2Ac6572PM9mw
J2xoHesGRaThJcoBGVvQG7FX321OxwB2AHPZnokbTJZ4oCB9R53mssYc0FFecRkq
jGuAEHrBd3K1AAABhe2UZJEAAAQDAEcwRQIgSc2MaP/dGuaPGB4wnAd3tlsdkUe2
UvuwR+TRJI8Avm8CIQCMeF+d9nuNsXCELwwpsEMXmp0H8yO76UtQlwOgIevwjwB3
AEiw42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABhe2UZEoAAAQDAEgw
RgIhAPxfDkr734ub923a51uc464LwpFxi4BTHbwlnGhiQ3JLAiEA5mYmwAve7gCw
EetxDZeiy3n+cFYYW/JVnYHPuOt4VlAwDQYJKoZIhvcNAQELBQADggIBAD1O2/3I
GhvRvoUer4wWXAfqd1qKfB+ukjfh0BlSmbCcazZ7EtVgosapbXZ21ByOD4be3sxf
xSNCx4HacgsLLdMrjKlmIgAGhh2tW0fhId6sbQAommD+bNG6IAmkNv8v8hcS1TMC
lLIKqNkrLqmkvoz8DEYoKKWdyLIR2E1K1YHKSroIqEYh3Cl/Kr+h0nHofScYFLky
lWygZHUjbTzjt/WgFnP5DqYp3uud4tnCMzQPzwvPDeIpOSrz0iGpvhqbFLJr5x+6
SNjCrwnLC1cdN9meqRgJL19p8UNZQwcVg+7DvCm0RCJUi17VfVU5HbiUO6Wfe79F
jN4hWRDL92jzTBIk3eMnobP+WMPsRtTI7oP2gbXiVvcu0wqP1hkQqVPfAA8fIiaZ
LKXei2/BFL9CPtA7/rTy0yHO7X7tugw5DwbKcVUOG0+q8PxnmmNkdh20SW9z2aVO
mX+88x/cRtM7Ac1WfZ+QqX+LbavGx9ah2S9LIFc+VKpOT3J44vYBuslVh7TSUVb/
gPYiC4cwL4eue4IzdPA7YAMRmiBHZuW2LyR9aBj2gfSpUhsE9OOYILecG5FojDSH
VwnImPtLd1NOKinaxSRGmiRVPPcqYnM5NjeTGIrykrEAKmC9TZ01GZZKhzpsOjkL
zzpXhFpb+mMGgRLsMGv2hTRQm/EBfwsftDD+
-----END CERTIFICATE-----
subject=/CN=*.motoflota.pl
issuer=/C=US/O=DigiCert, Inc./CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4123 bytes and written 419 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 2C40971A7DB2441F09C894956880F78847ECE6F2B706448D6092E142FAAEA3F4
Session-ID-ctx:
Master-Key: 784A2CAF8DB009A93F1D93A285639D7AA349830BB67E437B762E20DF123215A74E81F8CAD2A4EE8E4EE7EFA7C1145AD0
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 8f 02 cc 38 06 a8 1d 14-9c 35 cd 79 8b 86 94 5f ...8.....5.y..._
0010 - 6b 5a 9a 77 c9 d6 00 64-18 4d 45 8b 16 02 ad 9b kZ.w...d.ME.....
0020 - 5c 9f 07 4a 32 49 53 da-1c b0 ed 45 ab 85 01 6b \..J2IS....E...k
0030 - 67 f5 38 fe b3 0e eb 21-20 2e d4 77 47 ea 6a b6 g.8....! ..wG.j.
0040 - 37 e5 87 3b 1d e8 83 f3-95 49 ce 98 5b 59 55 13 7..;.....I..[YU.
0050 - ca 73 8e 31 e7 d6 a4 b8-da a8 ef d8 ac 97 e7 e7 .s.1............
0060 - 1c 9a b1 0a 6a 01 a0 39-e1 75 74 10 f9 4b a9 4e ....j..9.ut..K.N
0070 - 89 81 75 3b 2c 13 be 14-91 7e 91 f9 86 f5 ab f0 ..u;,....~......
0080 - 27 70 f9 da ee 50 15 1c-14 eb e9 27 85 13 5c 52 'p...P.....'..\R
0090 - 80 43 df e2 bc b5 05 88-1f 33 a1 56 5a 84 84 e2 .C.......3.VZ...
00a0 - 2b f2 1c fe f0 44 fe fb-e4 e7 08 b0 75 1a bd 33 +....D......u..3
00b0 - ec 16 07 19 77 b5 7a 93-1e 36 49 1f 79 aa 0e a1 ....w.z..6I.y...
Start Time: 1689326933
Timeout : 300 (sec)
Verify return code: 0 (ok)

2852
0 Kudos
Stephen_G
Moderator
Moderator
In response to serveradmin

Created on ‎07-14-2023 03:22 AM Edited on ‎07-14-2023 03:26 AM

Hi there,

 

It looks like our smut filter mistakenly censored part of the text string. The use of letters w, o, and g in sequence appears to be tripping it. I apologize for the inconvenience, it will not let me restore the content.

 

Kind regards,

Stephen - Fortinet Community Team
2847
ebilcari
Staff
Staff
In response to serveradmin

Created on ‎07-14-2023 04:06 AM Edited on ‎07-14-2023 04:07 AM

From the output it shows that FGT is presenting only the certificate itself, no root or intermediate is presented (depth=0 CN = *.motoflota.pl)
The server directly is presenting all the three: root, intermediate and cert (depth=2) so we can assume that some misconfiguration is done on the FGT

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
2834
0 Kudos
serveradmin
New Contributor III
In response to ebilcari

Created on ‎07-14-2023 04:08 AM

Yes, but both root and intermediate certificates are present in Fortigate.

2831
ebilcari
Staff
Staff
In response to serveradmin

Created on ‎07-14-2023 08:06 AM

I tried to configure the same in my lab with a private CA (without an intermediate) and in FGT 7.2.0 it will present both the CA and the certificate as seen by the openssl tool: depth=1
The certificate is under "Local Certificate" and the CA is under "Remote CA Certificate"
In the Virtual Servers> SSL Offloading are you using Full?

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
2822
0 Kudos
serveradmin
New Contributor III
In response to ebilcari

Created on ‎07-14-2023 01:36 PM

Yes, full SSL offloading. I have certificate uploaded to local, intermediate to remote ca certificate and root is already present in FGT.

 

I'm running Fortigate on FortiOS 7.4.0

2806
0 Kudos
serveradmin
New Contributor III
In response to ebilcari

Created on ‎07-17-2023 04:15 AM

Hi,

 

FYI, I downgraded fortios to 6.4.14 and it works! So it seems like it is bug in FortiOS 7.4.0. I will check if the same problem is also on fortios 7.2.5

7886
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.