Hi @52000cc ,

[929] ssl_set_hostname: Set hostname 'fortinet-ca2.fortinet.com'
[720] __ssl_info_callback: before SSL initialization
[720] __ssl_info_callback: SSLv3/TLS write client hello
[720] __ssl_info_callback: SSLv3/TLS write client hello
[720] __ssl_info_callback: SSLv3/TLS read server hello
[720] __ssl_info_callback: TLSv1.3 read encrypted extensions
[720] __ssl_info_callback: SSLv3/TLS read server certificate request
[362] __ssl_crl_verify_cb: Cert error 19, self-signed certificate in certificate chain. Depth 2
__upd_peer_vfy[329]-Server certificate failed verification. Error: 19 (self-signed certificate in certificate chain), depth: 2, subject: /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=fortinet-ca2/emailAddress=support@fortinet.com.
[1070] ssl_connect: SSL_connect failes: error:0A000086:SSL routines::certificate verify failed
ssl_connect_fds[391]-Failed SSL connecting (5,0,Success)

Apparently, there is something wrong with your self-signed certificate.  Please check whether you have a self-signed certificate called "fortinet-ca2", if yes, please confirm whether it is still valid or not.

As @akushwaha has suggested, you may switch to the UDP protocol which will not use the self-sign certificate for SSL negotiation.

I checked this fortinet-ca2 looks normal.

Hi 52000cc,

In FortiGuard debug logs, we can see the message "Cert error 19, self-signed certificate in certificate chain. Depth 2"

The issue is caused by another upstream unit (such as another FortiGate or 3rd party firewall) replacing the certificate of the connection. Because the replacement certificate is unknown to the local FortiGate, the SSL Handshake fails.

If verifying that there is no upstream unit or any device that is doing the inspection and still experiencing the issue. This might be happening because the certificate bundle is missing some Public certificates.

It is possible to try to change the Fortiguard Port to 8888 and the protocol to UDP.

This can only be done after disabling the 'anycast'. Use the following commands

config system fortiguard
set fortiguard-anycast disable
set port 8888
set protocol udp
end

Note: If the issue still persists with the same error, try to enable fortiguard-anycast under 'config system fortiguard' by unsetting the other changes done such as sdns-server-ip, port, and protocol.

config system fortiguard
set fortiguard-anycast enable
end

Please refer to the below document for more information:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Failed-to-contact-FortiGuard-servers-due-t...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Unable-to-Connect-to-FortiGuard-Servers-du...

If you have found a solution, please like and accept it to make it easily accessible to others.

Regards,
Aman

I have setup as this, the license is validated, but the log is continuously show certificate error.
config system fortiguard
set fortiguard-anycast enable
end

Hi 52000cc,

In the upstream, there is a third-party firewall enabling SSL deep inspection, which causes the FortiGuard update certificate error. The solution is to add an exemption in the upstream firewall for FortiGuard FQDN.

Please refer to the below document for more information:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiGuard-connection-fails-Self-sig...

If you have found a solution, please like and accept it to make it easily accessible to others.

Regards,
Aman

The upstream is the ISP, so they shouldn't be blocking client access, right? Could it be that my security configuration with certificates inspection is causing the blockage?

Hi 52000cc,

As you informed after enabling the fortiguard-anycast the license is validated.

Please run the FortiGuard debug logs again and attach them here once

diagnose debug application update -1
diagnose debug enable
execute update-now

Regards,
Aman