Created on 07-13-2023 02:54 AM Edited on 02-26-2024 05:26 AM By Kate_M
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Intermediate certificate
Hi,
I have set up virtual server with full ssl offloading. Everything is working fine but when I check our website by ssl checker for example https://www.digicert.com/help/ it says that the server is not sending the required intermediate certificate. Anybody know how to fix it? The problem is that Bluemedia cannot correct ask our webserver because it gets error "Unable to find valid cerification path to requested target".
I have already tried to upload .pfx with certificate, intermediate certificate, private key etc. and it still does not work.
Solved! Go to Solution.
- Labels:
-
Certificate
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
FYI, I downgraded fortios to 6.4.14 and it works! So it seems like it is bug in FortiOS 7.4.0. I will check if the same problem is also on fortios 7.2.5
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
As far as I understand FortiGate is not sending certificate chain. If I understand correctly I would recommend to check whether all intermediate certificates in the chain are imported to FortiGate (GUI: system - certificates).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Done it as well. Both under Remote CA Certificates and Remote Certificates. Any other ideas?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Please make sure that root CA is imported under Remote CA Certificates.
You may also consider to reboot FortiGate, clear the browser cache and try to navigate to the web-site and check in the browser whether full chain is sent.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
root CA is imported because when I try to import it I'm getting duplicate error.
It's not browser cache because few websites show the same result.
Box reload may solve issue?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You may consider to reboot the unit or restart wad "diagnose test application wad 99".
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still the same issue after performing restart command.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You may also consider to check in FortiGate GUI (GUI: system - certificates) whether all certificates are valid (status: Valid).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All are valid.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The error says that the intermediate is missing or is not the right one? There are some cases when you still have a valid Intermediate certificate listed in your trust chain but the intermediate certificate is not the right one (Cross-Signing). Modern browsers tend to auto correct this behavior and you don't get any warnings, some other systems are not that friendly with it.
You can test the same chain of certs you have uploaded in FGT to another web server or check the certificate chain files with openssl tool:
openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem
If you have found a solution, please like and accept it to make it easily accessible for others.