Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MadDog_2023
New Contributor III

Legit sites with valid SSL certificate are not opening - "Your connection is not private"

Hi All,

This morning all of a sudden some sites are not opening.

white1.jpgwhite2.jpg

 

The issue is not related to websites certificate. 

For sure it comes from FortiGate. 

Could you please help to fix it. 

6 REPLIES 6
Lamberts
New Contributor

Same here on Multiple sites.

If you create a new ssl under ssl/ssh inspection and call it "no inspection 23"

Turn off all the inspect all ports and save it.

In your policy and objects where cert inspection is used swap it to you new no inspection 23.

 

if you have clients needing access to sites It Works but not ideal, at least until FG sort the issue properly

 

lbjust
New Contributor II

I did not have any issues today but I recommend you to enable "Log SSL anomalies" in the SSL/SSH Inspection Profile so you will be able to analyze the log and understand why that profile is blocking access to the website.
Perhaps for some reason is marking the certificate as Expired certificates / Revoked certificates / Validation timed-out certificates / Validation failed certificates and your profile is configured as Block.

MadDog_2023
New Contributor III

Hi guys,

I checked Security & Profiles - SSL\SSH Inspection and there is no option to create a new certificate.

Screenshot 2023-06-29 153304.jpg

Tried to contact FortiGate support but was advised that the device's license has expired so no support can be provided.

Is there any other way to fix it?

P.S. Does anyone know why it started to happen all of a sudden?

MadDog_2023
New Contributor III

Tried to follow this article.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Fortinet-Untrusted-CA-when-browsing-...

For example the website is news.com.au

 

Screenshot 2023-06-29 155703.jpg

 

I found intermediate certificate DigiCert Global Root CA.

Trying to import.

Certificate is duplicated.

 

Screenshot 2023-06-29 155917.jpg

MadDog_2023
New Contributor III

The issue has been resolved.

Maybe on FortiGate's end.

sw2090
SuperUser
SuperUser

Your first screenshots indicate to me that for some reason your traffic has hit a policy that has SSL Deep Inspection turned on. Only then the original certificate will be replaced by a certificate created by the FGT using the CA in the SSL DPI Profile. That is because DPI is a man-in-the-middle. The FGT needs to decrypt the traffic to be able to have the filters check it and then has to re-encrypt it to hand it on to the client that requested it. Since it cannot use the original cert for that (because it doesn't have the private key) it uses the CA in the profile to spawn a new cert using the original dn/subject/san and use that to re-encrypt.

There is no need to create new cert. Either remove the DPI if it is not needed/wanted or download the CA from your FGT and install it to your client(s) as trusted CA.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors