Description |
This article describes one of the possible reasons why the certificate chain seems broken even if the root certificate is installed.
If the System -> Certificate configuration page is checked, root and local certificates are installed. but if trying to use openssl command to check the certificate chain, the chain is not complete as it should be.
Make sure to have the right certificate configured under VPN -> SSL-VPN Settings:
Check the certificate chain via the openssl command:
C:\Users\fortinet> openssl s_client -showcerts -connect lab.testlab.com.au:443 CONNECTED(000001B4) depth=0 CN = *.testlab.com.au verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = *.testlab.com.au verify error:num=21:unable to verify the first certificate verify return:1 depth=0 CN = *.testlab.com.au verify return:1 --- Certificate chain 0 s:CN = *.testlab.com.au i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 11 00:00:00 2023 GMT; NotAfter: Oct 10 23:59:59 2024 GMT -----BEGIN CERTIFICATE-----
|
Solution |
Restart the sslvpnd process using the fnsysctl command:
fnsysctl killall sslvpnd
After that, the certificate chain should be shown as complete by the openssl command:
C:\Users\fortinet> openssl s_client -showcerts -connect lab.testlab.com.au:443 CONNECTED(000001B4) depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services verify error:num=19:self-signed certificate in certificate chain verify return:1 depth=3 C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services verify return:1 depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority verify return:1 depth=1 C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA verify return:1 depth=0 CN = *.testlab.com.au verify return:1 --- Certificate chain 0 s:CN = *.testlab.com.au i:C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256 v:NotBefore: Sep 11 00:00:00 2023 GMT; NotAfter: Oct 10 23:59:59 2024 GMT -----BEGIN CERTIFICATE-----
Related document:
OPENSSL
|