Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
3RR0R
New Contributor

Created on ‎03-11-2024 12:49 AM

SSL Certificates Error for Protecting SSL Server

Hello

I'm trying to set up a SSL Inspection Profile for a Server behind our Fortigate but as soon as I activate the SSL Profile I get an error for the Website that it's not been trusted. SSL Inspection Options is set to Protecting SSL Server.

If I activate the SSL Profile on the Policy and check on https://www.digicert.com/help/ I get following error:

"The Certificate is not issued by DigiCert, GeoTrust, Thawte, or RapidSSL" and the Serial Number which is shown for the Certificate I can't find under Certificates

I uploaded the Wildcard Certificate with Private Key to the Local Certificate and I can see it there. I also see the Intermediate Cert in the Remote CA Cerificate section. Do I have to upload the Root Cert as Remote Certificate to work or what could be the Problem?

I would appreciate your help!

Labels:
4054
0 Kudos
20 REPLIES 20
AEK
SuperUser
SuperUser

Created on ‎03-11-2024 02:10 AM

Hi

  • In your SSL profile, did you select the right certificate as "Server Certificate"?
  • When you get certificate warning on your browser, click on certificate information, do you see DigiCert as issuer name / verified by?
  • Do you have the whole certificate chain in the certificate file that you installed on the you FortiGate? (you can check the certificate properties in menu System > Certificates)
  • Have you tried with a client other than Android? (Windows or Linux PC)
AEK
AEK
2507
3RR0R
New Contributor
In response to AEK

Created on ‎03-11-2024 02:50 AM

Hi
Yes I did select the right Certificate in the Profile.
I also tried with different Browsers. In the Certificate Viewer on the Browser it says that the Certificate was issued by Fortinet. Even though I  selected the Server Certificate I uploaded.

 

I uploaded the Wildcard Certificate by itself. Do I have to upload the whole Certificate Chain in one File to the Fortigate?

Thank you

2499
0 Kudos
AEK
SuperUser
SuperUser
In response to 3RR0R

Created on ‎03-11-2024 03:01 AM

Hi

Then this is not a certificate chain issue. If your browser said it is using Fortinet issued certificate then the traffic is probably handled by a policy that is not using the right SSL profile.

  • Ensure that the right policy is matching the incoming traffic (check in traffic log)
  • When doing some change try from a private browser window to ensure that it doesn't use the cache

On the other hand (but this is not the cause of your issue), as per my knowledge, usually public certificates are provided with the whole certificate chain in one file. Just check your certificate properties under FGT menu/ System > Certificates). Otherwise it is better to upload it since not all client types accept a certificate without the whole chain.

AEK
AEK
2496
3RR0R
New Contributor
In response to AEK

Created on ‎03-11-2024 03:28 AM

I uploaded the whole Certificate Chain now and in the Log I can see that it takes the right Policy. As soon as I activate the SSL Profile with the Certificate the Website doesn't "work" anymore. If I check the Certificate it shows me a Fortinet Cert but the Serialnumber of this Certificate I can't even find under Certificates.
Also If I check https://www.digicert.com/help/ it shows me "The Certificate is not issued by DigiCert, GeoTrust, Thawte, or RapidSSL" and also some Serialnumber I don't know.

2484
0 Kudos
AEK
SuperUser
SuperUser
In response to 3RR0R

Created on ‎03-11-2024 04:20 AM

Which FortiOS version?

Can you also post a screenshot of both your SSL inspection profile and the firewall policy?

AEK
AEK
2455
0 Kudos
3RR0R
New Contributor
In response to AEK

Created on ‎03-11-2024 11:26 PM

We have FortiOS 7.2.4
Following the SSL Profile and the FW Policy
ssl1.jpgssl2.jpg

2386
0 Kudos
3RR0R
New Contributor
In response to AEK

Created on ‎03-12-2024 12:10 AM

If I check the Website after I activate the Firewall Rule with SSL Profile I see this:

ssl3.jpg

If I check the site on https://www.digicert.com/help/ I get following error. Also the Serialnumber which is shown I can't find in the Certificate Section on the Fortigate
ssl4.jpg

2383
0 Kudos
AEK
SuperUser
SuperUser
In response to 3RR0R

Created on ‎03-12-2024 02:10 AM

There are some related issues fixed in later patches.

First I'd recommend to patch your FortiGate to 7.2.7.

884578 - Unexpected behavior in WAD caused by enabling HTTP/2 while using virtual servers.
895962 - Intermittent behavior in WAD during SSL renegotiation while using virtual servers. 
853864 - FortiGate out-of-band certificate check issue occurs in a proxy mode policy with SSL inspection.

 

AEK
AEK
2369
3RR0R
New Contributor
In response to AEK

Created on ‎03-12-2024 02:22 AM

Yes Sorry my bad I misstyped we are on Version 7.2.7

2361
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.