Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dairu
New Contributor III

SSL Chain Broken on Fortigate to Fortiweb Setup

I got an odd situation with our SSL certificate.

Webserver under Fortiweb and FortiGate are configured, https website is working properly. Except for CA chain is broken. When using SSL checker tools, CA could not be seen. I might miss something on my configuration that CA could not be read.

 

May I know how do you usually setup your SSL cert with FG and Fweb?
We have multiple domains for a single Public IP and utilized SNI for those different websites.

 

Our setup is that Fortigate is configured with VIP going to the Fortiweb, with SSL inspection configured to 'Protecting SSL Server'. Local cert and CA Intermediate cert is uploaded correctly.
Then on the Fortweb side, we used SNI to handle the different cert of differnt domains. Meaning we also uploaded the local certificates, as well as the CA. Well all websites are working and no SSL error when visiting the sites. But if you run any SSL tools, CA chain is broken.

 

I tried different setup, and here's what I got. On Fortigate, If I change the SSL Inspection from 'Protecting SSL Server' to 'Multiple Clients Connecting to Multiple Server', CA Chain is restored. This would be my goal... But, with this setup different problem arose. Now all web visitors' Public IP traversing to the FortiWeb is not logging properly (logs the internal IP of Fortigate instead). Which I think means the SSL inspection is now not working on the Fortiweb. (By the way we have X-forwarded-for setting, which works well when 'Protecting SSL server' is enabled)

 

End goal should be: Certs and CA Chain working correctly, without compromising the logging of web visitor's Public IP. Appreciate any insight on how you would normally setup this. Already troubleshooting if for days with no luck.

 

 

10 REPLIES 10
Markus_M

Hi dairu,

 

is this a FortiGate or a FortiWeb? Both are different products.

For the FortiGate to present certificates instead of the actual webserver (that apparently sends it correctly), you need to have the intermediates uploaded as said already. You should also make sure that these are the correct intermediates. A name does not make a certificate.

It might help to see what the FortiGate actually sends, if you share the respective URL. With tools like openssl the certificate chain can be seen, maybe easier than with SSL checker.

Note that the expectation is that the server certificate is sent, along with its intermediate CA. The root CA certificate is NOT to be sent. It must be present on the client and does not need to be imported on the FortiGate.

 

Best regards,

 

Markus