good afternoon colleagues, a question.
In the morning we had some problems with access to some pages that I could access normally.
In order to pass the certificate analysis I had to enter the rule and in the SSL INSPETION section change from certificate-inspection to no inspection until the page loads without problems and then return to certificate-inspection.
This problem has been occurring with other pages that were previously accessed.
the connection is not private
It is possible that attackers are trying to steal your information from xxxxx.com
(for example, passwords, messages or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID
It is worth mentioning that when you enter through another network, for example, a cellular data network or a home network, if you can access the page and the message "it is not secure" does not appear.
Do you know why this happens?
It is worth mentioning that the certificate of the page expires in 2024 so there should be no problem.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
The error message "NET::ERR_CERT_AUTHORITY_INVALID" typically occurs in web browsers like Google Chrome and Mozilla Firefox when there is an issue with the SSL/TLS certificate of a website.
When the browser encounters an invalid certificate authority, it means that the SSL/TLS certificate presented by the website cannot be verified with a trusted certificate authority. There are a few common reasons why this error might occur:
1) Expired or Invalid Certificate: The SSL/TLS certificate may have expired or is otherwise considered invalid by the browser.
2) Self-Signed Certificate: The website is using a self-signed certificate instead of one issued by a recognized certificate authority. Self-signed certificates are not trusted by default in most browsers.
3) Mismatched Domain: The certificate is issued for a different domain or subdomain than the one you are trying to access, causing a domain mismatch.
4) Misconfigured Certificate Chain: The certificate chain provided by the server is incomplete or not properly configured.
5) Untrusted Certificate Authority: The certificate authority that issued the certificate is not recognized or trusted by the browser.
6) Root Certificate Updates: Sometimes, a user's browser may need updates to its root certificate store, which contains the list of trusted certificate authorities.
So, please confirm by installing the certificate on the client machine and allowing it to trust it initially, this will clarify you to narrow down the issue.
Regards,
Kruthi
Hi,
When FortiGate cannot successfully authenticate the server certificate (i.e. untrusted root CA, expired, self-signed certificate) it will present the CA certificate configured via set untrusted-caname in the SSL inspection profile (default CA certificate name: Fortinet_CA_Untrusted).
In some cases, HTTPS websites using server certificates issued by Entrust will encounter an untrusted root CA warning because the specified Entrust root CA certificate in the server certificate's chain of trust is not in FortiGate's Trusted CA list (see Security Profiles -> SSL/SSH Inspection -> View Trusted CAs List on FGT).
The issue is that the HTTP site's server certificate was issued by an intermediate CA associated with a specific Entrust root CA certificate that has been deemed invalid because of an invalid certificate property. Since this Entrust root CA certificate is invalid, it's not trusted by all browsers.
This issue can be confirmed by using the URL of the affected HTTPS site with an online SSL checker website like SSL Labs' SSL Server Test (https://www.ssllabs.com/ssltest/) or SSL Shopper's SSL Checker (https://www.sslshopper.com/ssl-checker.html), and observing the checker's result that the certificate chain is incomplete or the certificate is not trusted in all browsers.
Regards
Priyanka
Please try to install the certificate on local machine in browser under trusted root certificate and check it.
Regards,
kunal
but why? If the certificate of those pages expires in one year, there are also several users who have the problem
Hi,
The error message "NET::ERR_CERT_AUTHORITY_INVALID" typically occurs in web browsers like Google Chrome and Mozilla Firefox when there is an issue with the SSL/TLS certificate of a website.
When the browser encounters an invalid certificate authority, it means that the SSL/TLS certificate presented by the website cannot be verified with a trusted certificate authority. There are a few common reasons why this error might occur:
1) Expired or Invalid Certificate: The SSL/TLS certificate may have expired or is otherwise considered invalid by the browser.
2) Self-Signed Certificate: The website is using a self-signed certificate instead of one issued by a recognized certificate authority. Self-signed certificates are not trusted by default in most browsers.
3) Mismatched Domain: The certificate is issued for a different domain or subdomain than the one you are trying to access, causing a domain mismatch.
4) Misconfigured Certificate Chain: The certificate chain provided by the server is incomplete or not properly configured.
5) Untrusted Certificate Authority: The certificate authority that issued the certificate is not recognized or trusted by the browser.
6) Root Certificate Updates: Sometimes, a user's browser may need updates to its root certificate store, which contains the list of trusted certificate authorities.
So, please confirm by installing the certificate on the client machine and allowing it to trust it initially, this will clarify you to narrow down the issue.
Regards,
Kruthi
Hello, thanks for answering. Excuse me and how do I get the certificate? Does the owner of the page have to give it to me?
Hi
Certificate Inspection should not break any SSL connections. The Fortigate only inspects the SNI on the Client Hello or the Server Certificate when Certificate Inspection is used. It does not attempt a MitM.
Could you post the output of the CLI commands, "config firewall ssl-ssh-profile", "edit <your profile>", "show"?
This is the default certificate-inspection profile.
Along with the certificate profile please collect the wireshark from the test machine to check the issue.
Regards
Priyanka
Hello, the default profile is being used:
edit "certificate-inspection"
set comment "Read-only SSL handshake inspection profile."
config https
set ports 443
set status certificate-inspection
end
config ftps
set status disable
end
config imaps
set status disable
end
config pop3s
set status disable
end
config smtps
set status disable
end
config ssh
set ports 22
set status disable
end
config dot
set status disable
end
One question, what option is causing those messages to appear when you want to access those pages? I would like to disable that option without having to change the certificate-inspection profile
the connection is not private
It is possible that attackers are trying to steal your information from xxxxx.com
(for example, passwords, messages or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID
On your SSL inspection profile, under Trusted CA list, do you see the CA for the specific certificate in question? If not, that is the most possible reason for this error.
then if the CA of the certificate is not in that list of the certificate-inspection profile. What option should I disable in that profile so that when trying to access those pages those messages no longer appear?
the connection is not private
It is possible that attackers are trying to steal your information from xxxxx.com
(for example, passwords, messages or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID
Hi,
maybe this helps to understand certificates better:
in very short: certificates are supposed to come in a chain. The webserver has a server certificate, which is signed by a CA (CERT_AUTHORITY) certificate and that is usually signed by another CA.
The webserver is supposed to send the webserver certificate and the CA certificates that signed that webserver certificate.
The client, your browser is supposed to receive the certificates and build the chain complete -
server > signing CA (intermediate CA) > signing CA (root CA)
If that fails because the server only sends the server certificate and nothing else, the client may be unable to complete the chain. The error is presented: NET::ERR_CERT_AUTHORITY_INVALID
The "server" certificate is coming from a webserver which is either
- the actual webserver, like https://www.fortinet.com
OR
- if your FortiGate is using SSL deep inspection on that same firewall policy, then the FortiGate has to play being the webserver instead, creating its own chain.
The same chain principle applies and every SSL client, needs to be able to complete the certificate chain. If FortiGate is doing deep inspection you need to download its CA certificate (see the respective DPI profile) and install it on the client. If FortiGate is NOT doing deep inspection, then you need to contact the webserver administrator. That is not to give you the certificate, but to fix the webserver.
Any(!) public webserver is supposed to send certificates as per description above. There might be special cases, but the administrator would have instructed you then for sure.
Best regards,
Markus
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1673 | |
1083 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.