Hi, I have a FortiGate 50E running v6.2.4build1112 The following issue occurs with different browers (FF, Chrome, Safari) and also on different platforms (Win,OSX,iOS,Android) For the last 24h I have suddently started receiving certifiacte errors on various websites which have worked flawlessly before. I get the typical HTTPS warning in my Browser (e.g. "Your connection is not private" in Chrome) and the exact error message is "NET::ERR_CERT_AUTHORITY_INVALID". Interestingly if I look at the certificate details it shows "Fortinet Untrusted CA" as the issuer. If I access these sites via mobile data these pages work fine and also the issuer is shown as a know institution (in all cases noticed so far it's "Sectigo"). In the SSL Logs I see "blocked" actions for the respective website: Message: Server certificate blocked Reason: block-cert-invalid Type: utm Sub Type: ssl Event Type: ssl-anomalies These actions are triggered by the Standard FortiGate pre-configured SSL/SSH Inspection profile "certificate-inspection" (SSL handshake inspection.) Any ideas what could be the reason for this sudden new behavior or how I could trouble shoot? Thanks in advance for any help!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
To repeat what was said earlier
"The problem is that those websites have an expired certificate in their chain (expired on May 30)."
Use ssllab to verify the cert on the web-server. If the cert is expired nothing you can do can get pass that issue. It does NOT matter that you have the cert of the CAs or webserver
https://www.ssllabs.com/ssltest/
If you would like to paste the name of the site we would gladly check for you.
Ken Felix
PCNSE
NSE
StrongSwan
I just registered for an account so that I could weigh in here. I'm actually not a Fortigate customer but I'm using a competing product with SSL inspection and I've been battling this same problem all day. If you're doing SSL inspection and you care about the integrity of website security the only way to correct this is to contact website owners. I've been doing this all day and successfully resolved the issue with many websites. I provide the website owners with a Qualys SSL Server Test report showing the expired certificates, explain the problem it's causing, and kindling request that they remove the expired certificates from their certificate chain. Removing the expired certificates form the chain resolves the issue and causes no detriment that I can see.
Seems to me this is related to the "Sectigo AddTrust External CA Root" expiring yesterday May 30, 2020 https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-202...
Will there be an update for this or how could I resolve this? Thanks
Hello.
In my opinion, there are two ways:
[ul]Read this:
https://sectigo.com/resou...-what-you-need-to-know
It seems that the modern web browser are not affected by this expired certicate, but this doesn't like to FortiGate SSL Inspection (and probably it's right, because it's an expired certificate).
Best.
Alessandro
We issue the certificates for the website is the fix. The browsers are probably caching the ssl-cert-chain. If you use incognito , curl, or gnutls, you will probably see the error much clearier
Ken Felix
PCNSE
NSE
StrongSwan
Thanks for the answer.
Just to help me understand a little bit better what to do: "We issue the certificates for the website is the fix" means there will be an Update to Fortinets Trusted CAs List? Thanks!
The problem is the website that you visit.
Please try to check the websites that give you the error:
https://www.sslshopper.com/ssl-checker.html
The problem is that those websites have an expired certificate in their chain (expired on May 30).
The owners of the websites must replace the expired certificate and so FortiGates can detect the right chain: you can't solve this problem on your side, unless you disable the SSL Inspection.
I'm sure, because I have replaced these expired certificates on some websites and the problem is now solved on these websites.
Best.
Alessandro
I'm in doubt, that problem is only on webserver side. According to this article:
https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ
User-client should use secondary path to make the auth work. In fortigate I have both the expired cert
AddTrust External CA Root
and the new or secondary one. So should we realy wait? Or install something manualy? :)
To repeat what was said earlier
"The problem is that those websites have an expired certificate in their chain (expired on May 30)."
Use ssllab to verify the cert on the web-server. If the cert is expired nothing you can do can get pass that issue. It does NOT matter that you have the cert of the CAs or webserver
https://www.ssllabs.com/ssltest/
If you would like to paste the name of the site we would gladly check for you.
Ken Felix
PCNSE
NSE
StrongSwan
So for e.g. its wnp.pl
There are 3 paths to take, 2 of them are trusted, 1 not. So what happens is browser takes always the incorrect path, fortigate blocks it, and doesnt try two other correct ones?
Thank you for the sharing helpful information...there are two ways first is, disable SSL Inspection, second is, waiting that all the websites replace the expired certificate
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.