Hi,
I recently upgraded our FG 100E from 5.6.9 to 6.2.3 and suddenly cannot login to admin from WAN because of self signed certificate. I did follow upgrade path, and it was working in 6.2.2 just right. Both Safari and Chrome disallow me to load the page completely, Firefox warns me about self-signed certificate.
I can login fine from LAN using internal IP address. Is it a correct behavior?
Thanks
Robert
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you managing the FGT via https, the same certificate is used regardless of interface. Did you set an exception in your browser? Or import the selfsigned cert?
Ken Felix
PCNSE
NSE
StrongSwan
Have you tried deleting cookies and site data for that site in your browsers?
Yes, I know it's the same link.... but had to do that a few times and solved it for me
On Firefox under Privacy and Security it's called "Cookies and Site Data", then "Manage Data", and find that one link in there, select it and click "Remove Selected"
Yeah,
I know that the same certificate is used on all interfaces but I just re-checked it and I was correct - I can connect on LAN interface using private IP address but not from WAN interface via FQDN. I also removed cookies and trashed installed SSL certificates from this FG. Weird.
Than do incognito and retest, also flush SSL states and double check allowaccess, it's the same certificate and if your using the selfSign fortinet cert, than FQDN is not going to help, the cert is untrusted regardless if your coming in from public or wan. ALso if your using a proxy to get to the puiblic-WAN address that's going to hurt you also depending on the level security and allowances.
The FGT does care regardless if the cert is SelfSigned or not.
Ken Felix
PCNSE
NSE
StrongSwan
Are you using Chrome on MacOS Catalina? If so, there were some changes to how self signed certificates are trusted. We are looking into a fix on the FortiOS side. It is possible to override the warning in Chrome as well.
agreed and you can use curl to validate the certificate name and details
curl -k -v https://x.x.x.x
# x.x.x.x = WAN or LAN side address
Your problem is your browser, use FF and import the cert and save it as trusted
Ken Felix
PCNSE
NSE
StrongSwan
Thanks all
Jordan_Thompson_FTNT wrote:Are you using Chrome on MacOS Catalina? If so, there were some changes to how self signed certificates are trusted. We are looking into a fix on the FortiOS side. It is possible to override the warning in Chrome as well.
Im using Chrome v80.0.3987.122 on MacOS Catalina and after upgrading to 6.2.3 Im unable to manage my FGT via Chrome using HTTPs, I now have to use Safari. Chrome gives the error:
NET::ERR_CERT_INVALID
You cannot visit 192.168.0.254 at the moment because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.
There are a few options for this:
[ul]In FortiOS 6.2.3, the self signed certificate should also work (with the original overridable warning), however it may require a factory reset on the FortiGate to regenerate it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.