Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
serveradmin
New Contributor III

Created on ‎07-13-2023 02:54 AM Edited on ‎02-26-2024 05:26 AM By Community Manager

Intermediate certificate

Hi,

I have set up virtual server with full ssl offloading. Everything is working fine but when I check our website by ssl checker for example https://www.digicert.com/help/ it says that the server is not sending the required intermediate certificate. Anybody know how to fix it? The problem is that Bluemedia cannot correct ask our webserver because it gets error "Unable to find valid cerification path to requested target".

 

I have already tried to upload .pfx with certificate, intermediate certificate, private key etc. and it still does not work.

Labels:
8226
1 Solution
serveradmin
New Contributor III
In response to ebilcari

Created on ‎07-17-2023 04:15 AM

Hi,

 

FYI, I downgraded fortios to 6.4.14 and it works! So it seems like it is bug in FortiOS 7.4.0. I will check if the same problem is also on fortios 7.2.5

View solution in original post

7913
24 REPLIES 24
abarushka
Staff
Staff

Created on ‎07-13-2023 03:15 AM

Hello,

 

As far as I understand FortiGate is not sending certificate chain. If I understand correctly I would recommend to check whether all intermediate certificates in the chain are imported to FortiGate (GUI: system - certificates).

FortiGate
3545
0 Kudos
serveradmin
New Contributor III
In response to abarushka

Created on ‎07-13-2023 03:24 AM

Done it as well. Both under Remote CA Certificates and Remote Certificates. Any other ideas?

3537
0 Kudos
abarushka
Staff
Staff
In response to serveradmin

Created on ‎07-13-2023 03:38 AM

Hello,

 

Please make sure that root CA is imported under Remote CA Certificates.

 

You may also consider to reboot FortiGate, clear the browser cache and try to navigate to the web-site and check in the browser whether full chain is sent.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-avoid-certificate-error-message-by-...

FortiGate
3526
0 Kudos
serveradmin
New Contributor III
In response to abarushka

Created on ‎07-13-2023 03:47 AM

root CA is imported because when I try to import it I'm getting duplicate error.

It's not browser cache because few websites show the same result.

 

Box reload may solve issue?

3524
0 Kudos
abarushka
Staff
Staff
In response to serveradmin

Created on ‎07-13-2023 03:59 AM

Hello,

 

You may consider to reboot the unit or restart wad "diagnose test application wad 99".

FortiGate
3517
0 Kudos
serveradmin
New Contributor III
In response to abarushka

Created on ‎07-13-2023 04:08 AM

Still the same issue after performing restart command.

3511
0 Kudos
abarushka
Staff
Staff
In response to serveradmin

Created on ‎07-13-2023 04:18 AM

Hello,

 

You may also consider to check in FortiGate GUI (GUI: system - certificates) whether all certificates are valid (status: Valid).

FortiGate
3509
0 Kudos
serveradmin
New Contributor III
In response to abarushka

Created on ‎07-13-2023 04:20 AM

All are valid.

3505
0 Kudos
ebilcari
Staff
Staff

Created on ‎07-13-2023 05:16 AM

The error says that the intermediate is missing or is not the right one? There are some cases when you still have a valid Intermediate certificate listed in your trust chain but the intermediate certificate is not the right one (Cross-Signing). Modern browsers tend to auto correct this behavior and you don't get any warnings, some other systems are not that friendly with it.

You can test the same chain of certs you have uploaded in FGT to another web server or check the certificate chain files with openssl tool: 

openssl verify -CAfile RootCert.pem -untrusted Intermediate.pem UserCert.pem

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
3500
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.