- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- SSL Chain Broken on Fortigate to Fortiweb Setup
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL Chain Broken on Fortigate to Fortiweb Setup
I got an odd situation with our SSL certificate.
Webserver under Fortiweb and FortiGate are configured, https website is working properly. Except for CA chain is broken. When using SSL checker tools, CA could not be seen. I might miss something on my configuration that CA could not be read.
May I know how do you usually setup your SSL cert with FG and Fweb?
We have multiple domains for a single Public IP and utilized SNI for those different websites.
Our setup is that Fortigate is configured with VIP going to the Fortiweb, with SSL inspection configured to 'Protecting SSL Server'. Local cert and CA Intermediate cert is uploaded correctly.
Then on the Fortweb side, we used SNI to handle the different cert of differnt domains. Meaning we also uploaded the local certificates, as well as the CA. Well all websites are working and no SSL error when visiting the sites. But if you run any SSL tools, CA chain is broken.
I tried different setup, and here's what I got. On Fortigate, If I change the SSL Inspection from 'Protecting SSL Server' to 'Multiple Clients Connecting to Multiple Server', CA Chain is restored. This would be my goal... But, with this setup different problem arose. Now all web visitors' Public IP traversing to the FortiWeb is not logging properly (logs the internal IP of Fortigate instead). Which I think means the SSL inspection is now not working on the Fortiweb. (By the way we have X-forwarded-for setting, which works well when 'Protecting SSL server' is enabled)
End goal should be: Certs and CA Chain working correctly, without compromising the logging of web visitor's Public IP. Appreciate any insight on how you would normally setup this. Already troubleshooting if for days with no luck.
- « Previous
-
- 1
- 2
- Next »
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi dairu,
is this a FortiGate or a FortiWeb? Both are different products.
For the FortiGate to present certificates instead of the actual webserver (that apparently sends it correctly), you need to have the intermediates uploaded as said already. You should also make sure that these are the correct intermediates. A name does not make a certificate.
It might help to see what the FortiGate actually sends, if you share the respective URL. With tools like openssl the certificate chain can be seen, maybe easier than with SSL checker.
Note that the expectation is that the server certificate is sent, along with its intermediate CA. The root CA certificate is NOT to be sent. It must be present on the client and does not need to be imported on the FortiGate.
Best regards,
Markus
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Assistance Required for FortiWeb in (Reverse... 73 Views
- WAF signatures 220 Views
- FortiGate ethernet broken with HA 870 Views
- FortiGate Transparent Proxy 190 Views
- FortiGate/FortiAp Rolling Upgrade does not work? 457 Views
Labels
-
FortiGate
6,655 -
FortiClient
1,327 -
5.2
801 -
5.4
639 -
FortiManager
576 -
FortiAnalyzer
421 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
271 -
FortiMail
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
158 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
76 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
65 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
FortiConnect
24 -
High Availability
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Logging
13 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.