Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
paka
New Contributor

Usage of "Secure" TLS

Anyone using "secure" TLS, i.e. including check of CA issuer?

We're running an evaluation of FortiMail and I just can't get this to work. I'm trying to configure it for sending to gmail.com and I've downloaded their intermediate cert and the Geotrust root cert and created a TLS profile, but I keep getting "TLS certificate CA verify failed" in the logs. So, is anyone successfully using "Check CA Issuer"? Are there any other secrets to make it work other than the steps outlined in the documentation?

3 REPLIES 3
Paul_S
Contributor

i'm not using that, but I did see a lot of CA fail messages in my logs before I imported my CA certs for my local PKI. However, I still see the errors when dealing with outside connections.

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
emnoc
Esteemed Contributor III

op, have you tried to pull the  cert by manual process and check the CAissuer and cert chain?

openssl s_client  -showcerts -verify depth  -connect <mail-server:25> 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
phnx85
New Contributor

I had a similar problem with our FortiMail while running in trial mode. TLS would not work at all, even connection to our internal Exchange servers. Importing CA certificate would fail with a generic error message. When we got a license for it i was able to import certificates and TLS started working.

Labels
Top Kudoed Authors