To provide more background on this, the Issue started from the early hours of September 30th due to the expiry of "DST Root CA X3" root CA certificate, where certificate warnings on end user’s browsers were observed. The blog explains the issue in more detail:
To address this issue, Fortinet prepared a Certificate Bundle update to remove the legacy root CA certificate from the FortiGate system. If your FortiGate has not yet received this update, please execute the below command.
Verify that certificate bundle is updated by executing the command #diagnose autoupdate versions
#diagnose autoupdate versions
Version: 1.00028 <<<<<<< 1.00028 is the required Certificate Bundle.
Contract Expiry Date: n/a
Last Updated using manual update on Thu Sep 30 17:00:00 2021
Last Update Attempt: n/a
Result: Updates Installed
You may have already been provided with a few options as workarounds to avoid running into certificate warnings.
1. Firewall policies are switched to flow based inspection.
2. Created a Clone of Certificate inspection profile to allow Invalid/Expired certificates.
You may want to revert changes made to those firewall policies and use flow-based deep inspection or proxy-based certificate inspection or proxy-based deep inspection profiles to secure HTTPS communications.
To achieve this, please follow the instructions below.
1. Ensure the firewall policy configuration is reverted to the previous desired inspection mode and ssl/ssh inspection profile.
2. As part of certificate chain
validation, FortiGate contacts identrust server for downloading the "DST
Root CA X3" expired root ca certificate in the certificate chain.
With the removal of the expired IdenTrust DST Root CA X3 in Certificate Bundle version 1.28, it is possible to prevent fallback to the expired root CA by blocking FortiGate access to apps.identrust.com, resulting in the correct root CA being used
This can be achieved by using either DNS blackholing or via an FQDN policy to block access to apps.identrust.comconfig system dns-database
Note: If apps.identrust.com removes or stops sending this expired certificate, the above dns-database config will not be needed.
In a few corner cases, the IPS engine and WAD daemon may cache the previous certificate validation results and still report certificate warnings for the end user when accessing websites.
To fix those errors, cached results must be cleared by executing the following commands.
Executing the commands below to clear the cached certificate validation results during production hours may cause the sessions handled by WAD to terminate abruptly and end users will experience timeouts.
We highly recommend to execute these commands during non-business hours.
#diag ips share clear cert_verify_cache > (when the firewall policy is in flow-mode) - Non Business Impacting
#diagnose test application wad 99 > (when the firewall policy is in proxy-mode) – Expect sessions handled by WAD to terminate abruptly.
If you have any questions or concerns, please feel free to contact Fortinet Technical support.