Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

website access problems

good afternoon colleagues, a question.
In the morning we had some problems with access to some pages that I could access normally.

In order to pass the certificate analysis I had to enter the rule and in the SSL INSPETION section change from certificate-inspection to no inspection until the page loads without problems and then return to certificate-inspection.

This problem has been occurring with other pages that were previously accessed.

 

the connection is not private

It is possible that attackers are trying to steal your information from xxxxx.com
(for example, passwords, messages or credit cards).

NET::ERR_CERT_AUTHORITY_INVALID


It is worth mentioning that when you enter through another network, for example, a cellular data network or a home network, if you can access the page and the message "it is not secure" does not appear.

Do you know why this happens?

 

It is worth mentioning that the certificate of the page expires in 2024 so there should be no problem.

 

2 Solutions
YBKruthi

Hi,

The error message "NET::ERR_CERT_AUTHORITY_INVALID" typically occurs in web browsers like Google Chrome and Mozilla Firefox when there is an issue with the SSL/TLS certificate of a website.

 

When the browser encounters an invalid certificate authority, it means that the SSL/TLS certificate presented by the website cannot be verified with a trusted certificate authority. There are a few common reasons why this error might occur:

 

1) Expired or Invalid Certificate: The SSL/TLS certificate may have expired or is otherwise considered invalid by the browser.

2) Self-Signed Certificate: The website is using a self-signed certificate instead of one issued by a recognized certificate authority. Self-signed certificates are not trusted by default in most browsers.

3) Mismatched Domain: The certificate is issued for a different domain or subdomain than the one you are trying to access, causing a domain mismatch.

4) Misconfigured Certificate Chain: The certificate chain provided by the server is incomplete or not properly configured.

5) Untrusted Certificate Authority: The certificate authority that issued the certificate is not recognized or trusted by the browser.

6) Root Certificate Updates: Sometimes, a user's browser may need updates to its root certificate store, which contains the list of trusted certificate authorities.

 

So, please confirm by installing the certificate on the client machine and allowing it to trust it initially, this will clarify you to narrow down the issue.

 

Regards,

Kruthi

 

 

View solution in original post

pgautam
Staff
Staff

Hi,

When FortiGate cannot successfully authenticate the server certificate (i.e. untrusted root CA, expired, self-signed certificate) it will present the CA certificate configured via set untrusted-caname in the SSL inspection profile (default CA certificate name: Fortinet_CA_Untrusted).

In some cases, HTTPS websites using server certificates issued by Entrust will encounter an untrusted root CA warning because the specified Entrust root CA certificate in the server certificate's chain of trust is not in FortiGate's Trusted CA list (see Security Profiles -> SSL/SSH Inspection -> View Trusted CAs List on FGT).

The issue is that the HTTP site's server certificate was issued by an intermediate CA associated with a specific Entrust root CA certificate that has been deemed invalid because of an invalid certificate property. Since this Entrust root CA certificate is invalid, it's not trusted by all browsers.

This issue can be confirmed by using the URL of the affected HTTPS site with an online SSL checker website like SSL Labs' SSL Server Test (https://www.ssllabs.com/ssltest/) or SSL Shopper's SSL Checker (https://www.sslshopper.com/ssl-checker.html), and observing the checker's result that the certificate chain is incomplete or the certificate is not trusted in all browsers.


Regards

Priyanka

View solution in original post

13 REPLIES 13
srajeswaran

hi @unknown1020 ,

 

As per your configuration, the profile is enabled to inspect the certificate and the error is expected as the system is not able to validate the CA for the certificate.
Can you request the CA certificate from the site owner and add it to Fortigate (upload option is there under certificates).
Technically the error you are seeing is good, because that way you know which all connections can be problematic. In this scenario, you know the certificate is valid, but if you disable this check and if some other site uses invalid certificate you will not be noticing the same and it may create security risks.

edit "certificate-inspection"
set comment "Read-only SSL handshake inspection profile."
config https
set ports 443
set status certificate-inspection
end

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
pgautam
Staff
Staff

Hi,

When FortiGate cannot successfully authenticate the server certificate (i.e. untrusted root CA, expired, self-signed certificate) it will present the CA certificate configured via set untrusted-caname in the SSL inspection profile (default CA certificate name: Fortinet_CA_Untrusted).

In some cases, HTTPS websites using server certificates issued by Entrust will encounter an untrusted root CA warning because the specified Entrust root CA certificate in the server certificate's chain of trust is not in FortiGate's Trusted CA list (see Security Profiles -> SSL/SSH Inspection -> View Trusted CAs List on FGT).

The issue is that the HTTP site's server certificate was issued by an intermediate CA associated with a specific Entrust root CA certificate that has been deemed invalid because of an invalid certificate property. Since this Entrust root CA certificate is invalid, it's not trusted by all browsers.

This issue can be confirmed by using the URL of the affected HTTPS site with an online SSL checker website like SSL Labs' SSL Server Test (https://www.ssllabs.com/ssltest/) or SSL Shopper's SSL Checker (https://www.sslshopper.com/ssl-checker.html), and observing the checker's result that the certificate chain is incomplete or the certificate is not trusted in all browsers.


Regards

Priyanka

unknown1020
New Contributor III

thanks friend for your answer. Check the URL and I get the following: " The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GlobalSign's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates." So it's a problem on the same page right? To avoid those messages, what option should I disable in the certificate-inspection profile so that when accessing those pages I don't get those messages. ??

mgoswami
Staff
Staff

Hi, 

 

May I know if you have enabled any security profiles in the Policy?

If yes, you may try to keep the inspection mode to certificate inspection and try to disable one security policy at a time and try accessing the web-site.

This way, we may be able to isolate if any filter is causing any issue.

 

BR,

Manosh

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors