Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Sudden HTTPS certificate errors
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sudden HTTPS certificate errors - Sectigo AddTrust External CA Root Expiring May 30, 2020
Hi, I have a FortiGate 50E running v6.2.4build1112 The following issue occurs with different browers (FF, Chrome, Safari) and also on different platforms (Win,OSX,iOS,Android) For the last 24h I have suddently started receiving certifiacte errors on various websites which have worked flawlessly before. I get the typical HTTPS warning in my Browser (e.g. "Your connection is not private" in Chrome) and the exact error message is "NET::ERR_CERT_AUTHORITY_INVALID". Interestingly if I look at the certificate details it shows "Fortinet Untrusted CA" as the issuer. If I access these sites via mobile data these pages work fine and also the issuer is shown as a know institution (in all cases noticed so far it's "Sectigo"). In the SSL Logs I see "blocked" actions for the respective website: Message: Server certificate blocked Reason: block-cert-invalid Type: utm Sub Type: ssl Event Type: ssl-anomalies These actions are triggered by the Standard FortiGate pre-configured SSL/SSH Inspection profile "certificate-inspection" (SSL handshake inspection.) Any ideas what could be the reason for this sudden new behavior or how I could trouble shoot? Thanks in advance for any help!
Solved! Go to Solution.
Labels:
- Labels:
-
6.2
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
3 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To repeat what was said earlier
"The problem is that those websites have an expired certificate in their chain (expired on May 30)."
Use ssllab to verify the cert on the web-server. If the cert is expired nothing you can do can get pass that issue. It does NOT matter that you have the cert of the CAs or webserver
https://www.ssllabs.com/ssltest/
If you would like to paste the name of the site we would gladly check for you.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just registered for an account so that I could weigh in here. I'm actually not a Fortigate customer but I'm using a competing product with SSL inspection and I've been battling this same problem all day. If you're doing SSL inspection and you care about the integrity of website security the only way to correct this is to contact website owners. I've been doing this all day and successfully resolved the issue with many websites. I provide the website owners with a Qualys SSL Server Test report showing the expired certificates, explain the problem it's causing, and kindling request that they remove the expired certificates from their certificate chain. Removing the expired certificates form the chain resolves the issue and causes no detriment that I can see.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may like to check the article at https://kb.fortinet.com/k...amp;externalId=FD49028
28 REPLIES 28
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems to me this is related to the "Sectigo AddTrust External CA Root" expiring yesterday May 30, 2020 https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-202...
Will there be an update for this or how could I resolve this? Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello.
In my opinion, there are two ways:
[ul]Read this:
https://sectigo.com/resou...-what-you-need-to-know
It seems that the modern web browser are not affected by this expired certicate, but this doesn't like to FortiGate SSL Inspection (and probably it's right, because it's an expired certificate).
Best.
Alessandro
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We issue the certificates for the website is the fix. The browsers are probably caching the ssl-cert-chain. If you use incognito , curl, or gnutls, you will probably see the error much clearier
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer.
Just to help me understand a little bit better what to do: "We issue the certificates for the website is the fix" means there will be an Update to Fortinets Trusted CAs List? Thanks!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is the website that you visit.
Please try to check the websites that give you the error:
https://www.sslshopper.com/ssl-checker.html
The problem is that those websites have an expired certificate in their chain (expired on May 30).
The owners of the websites must replace the expired certificate and so FortiGates can detect the right chain: you can't solve this problem on your side, unless you disable the SSL Inspection.
I'm sure, because I have replaced these expired certificates on some websites and the problem is now solved on these websites.
Best.
Alessandro
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm in doubt, that problem is only on webserver side. According to this article:
https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ
User-client should use secondary path to make the auth work. In fortigate I have both the expired cert
AddTrust External CA Root
and the new or secondary one. So should we realy wait? Or install something manualy? :)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To repeat what was said earlier
"The problem is that those websites have an expired certificate in their chain (expired on May 30)."
Use ssllab to verify the cert on the web-server. If the cert is expired nothing you can do can get pass that issue. It does NOT matter that you have the cert of the CAs or webserver
https://www.ssllabs.com/ssltest/
If you would like to paste the name of the site we would gladly check for you.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So for e.g. its wnp.pl
There are 3 paths to take, 2 of them are trusted, 1 not. So what happens is browser takes always the incorrect path, fortigate blocks it, and doesnt try two other correct ones?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the sharing helpful information...there are two ways first is, disable SSL Inspection, second is, waiting that all the websites replace the expired certificate
Omegle
Chatiw
Chatavenue
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Certificate error message when device is... 319 Views
- certificate for FGFM protocol - Error... 538 Views
- Certificate error in internal lan 734 Views
- The first connection using Microsoft Entra... 828 Views
- Renew SSL Certificate Error 2369 Views
Labels
-
FortiGate
8,508 -
FortiClient
1,722 -
5.2
801 -
FortiManager
716 -
5.4
639 -
FortiAnalyzer
548 -
Fortiswitch
460 -
FortiAP
460 -
6.0
416 -
FortiClient EMS
411 -
5.6
362 -
FortiMail
310 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
223 -
FortiWeb
200 -
5.0
196 -
IPsec
188 -
FortiNAC
180 -
FortiGuard
136 -
6.4
128 -
SD-WAN
110 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
96 -
FortiToken
89 -
FortiAuthenticator
84 -
Customer Service
78 -
Wireless Controller
76 -
Firewall policy
71 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
54 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiExtender
45 -
FortiSandbox
44 -
FortiDNS
42 -
Routing
40 -
DNS
40 -
BGP
39 -
LDAP
39 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
34 -
Certificate
33 -
Authentication
31 -
SSO
31 -
Interface
31 -
NAT
30 -
RADIUS
29 -
FortiConnect
27 -
FortiLink
27 -
FortiWAN
25 -
FortiConverter
25 -
VDOM
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
Web profile
24 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
SSL SSH inspection
20 -
FortiPortal
19 -
FortiSwitch v6.2
18 -
FortiMonitor
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
System settings
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
Traffic shaping profile
6 -
Fortinet Engage Partner Program
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
Web rating
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1663 | |
| 1077 | |
| 752 | |
| 446 | |
| 220 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.