Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek_OLD
New Contributor

SSL deep inspection and ERR_CONNECTION_RESET error.

Hi,

we facing a problem many many websites not working with error "ERR_CONNECTION_RESET"

sites became available when I disable ssl deep inspection (ssl certificate is deployed on all client computers)

How could I troubleshot this?

3 REPLIES 3
mhe
Contributor II

aagrafi
Contributor II

Hi,

 

This is probably due to a bug and Fortinet has distributed the following information to partners:

 

Access to Websites blocked using SSL inspection -Bug ID 750551

 

There appears to be an ongoing issue with the certificate chain of a root certificate authority (ISRG Root X1). This issue will affect all vendors of SSL-inspection products whether deep or just certificate inspection is in use.

 

This issue has been reported and we will keep you posted on the developments.

 

Currently, the workarounds are:

Make a backup. At the top right > click your profile > Config > backup

1. Use flow-based web filtering. Note: the firewall policy will need to be in flow-mode as well for this to work.

2. Alternatively in the SSL Inspection Profile > Invalid Certificate > "Custom" and Allow "Expired Certificate" in the interim. (This should be used with caution).

 

For more info, Please checkout the following links:

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/245593/inspection-mode-per-policy

https://kb.fortinet.com/kb/documentLink.do?externalID=FD49028

 

 

Further information on the stale certificate:

https://marketresearchtelecast.com/lets-encrypt-certificates-stuttering-possible-on-september-30th/1...

 

Hope that helps

it_service
New Contributor II

Issue on 6.4.5 temporarily resolved by following workaround: 1: verify cert bundle is v28 -> diag autoupdate versions -> execute update-now 2: apply DNS blackhole workaround: -> config system dns-database -> edit "1" -> set domain "identrust.com" -> config dns-entry -> edit 1 -> set hostname "apps" -> set ip 127.0.0.1 -> next -> end 3a: flow-mode: -> diag ips share clear cert_verify_cache 3b: proxy-mode: ->:diag test app wad 99

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors