Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jerem42
New Contributor

Sudden HTTPS certificate errors - Sectigo AddTrust External CA Root Expiring May 30, 2020

Hi, I have a FortiGate 50E running v6.2.4build1112 The following issue occurs with different browers (FF, Chrome, Safari) and also on different platforms (Win,OSX,iOS,Android) For the last 24h I have suddently started receiving certifiacte errors on various websites which have worked flawlessly before. I get the typical HTTPS warning in my Browser (e.g. "Your connection is not private" in Chrome) and the exact error message is "NET::ERR_CERT_AUTHORITY_INVALID". Interestingly if I look at the certificate details it shows "Fortinet Untrusted CA" as the issuer. If I access these sites via mobile data these pages work fine and also the issuer is shown as a know institution (in all cases noticed so far it's "Sectigo"). In the SSL Logs I see "blocked" actions for the respective website: Message: Server certificate blocked Reason:    block-cert-invalid Type:    utm Sub Type:    ssl Event Type:    ssl-anomalies These actions are triggered by the Standard FortiGate pre-configured SSL/SSH Inspection profile "certificate-inspection" (SSL handshake inspection.) Any ideas what could be the reason for this sudden new behavior or how I could trouble shoot? Thanks in advance for any help!

3 Solutions
emnoc
Esteemed Contributor III

To repeat what was said earlier

 

"The problem is that those websites have an expired certificate in their chain (expired on May 30)."

 

Use ssllab to verify the cert on the web-server. If the cert is expired nothing you can do can get pass that issue. It does NOT matter that you have the cert of the CAs or webserver

 

https://www.ssllabs.com/ssltest/

 

If you would like to paste the name of the site we would gladly check for you.

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

View solution in original post

SomeDude101

I just registered for an account so that I could weigh in here. I'm actually not a Fortigate customer but I'm using a competing product with SSL inspection and I've been battling this same problem all day. If you're doing SSL inspection and you care about the integrity of website security the only way to correct this is to contact website owners. I've been doing this all day and successfully resolved the issue with many websites. I provide the website owners with a Qualys SSL Server Test report showing the expired certificates, explain the problem it's causing, and kindling request that they remove the expired certificates from their certificate chain. Removing the expired certificates form the chain resolves the issue and causes no detriment that I can see.

View solution in original post

Admin_FTNT
27 REPLIES 27
jerem42
New Contributor

Seems to me this is related to the "Sectigo AddTrust External CA Root" expiring yesterday May 30, 2020 https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-202...

 

Will there be an update for this or how could I resolve this? Thanks

aleilmago

Hello.

 

In my opinion, there are two ways:

[ul]
  • disable SSL Inspection
  • waiting that all the websites replace the expired certificate[/ul]

    Read this:

    https://sectigo.com/resou...-what-you-need-to-know

    It seems that the modern web browser are not affected by this expired certicate, but this doesn't like to FortiGate SSL Inspection (and probably it's right, because it's an expired certificate).

     

    Best.

    Alessandro

  • emnoc
    Esteemed Contributor III

    We issue the certificates for the website is the fix. The browsers are probably caching the ssl-cert-chain. If you use incognito , curl, or gnutls, you will probably see the error much clearier

     

     

    Ken Felix

    PCNSE 

    NSE 

    StrongSwan  

    jerem42
    New Contributor

    Thanks for the answer.

    Just to help me understand a little bit better what to do: "We issue the certificates for the website is the fix" means there will be an Update to Fortinets Trusted CAs List? Thanks!

    aleilmago

    The problem is the website that you visit.

    Please try to check the websites that give you the error:

    https://www.sslshopper.com/ssl-checker.html

     

    The problem is that those websites have an expired certificate in their chain (expired on May 30).

     

    The owners of the websites must replace the expired certificate and so FortiGates can detect the right chain: you can't solve this problem on your side, unless you disable the SSL Inspection.

     

    I'm sure, because I have replaced these expired certificates on some websites and the problem is now solved on these websites.

     

    Best.

    Alessandro

    Darkstar

    I'm in doubt, that problem is only on webserver side. According to this article:

    https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ

     

    User-client should use secondary path to make the auth work. In fortigate I have both the expired cert

    AddTrust External CA Root

    and the new or secondary one. So should we realy wait? Or install something manualy? :)

     

    emnoc
    Esteemed Contributor III

    To repeat what was said earlier

     

    "The problem is that those websites have an expired certificate in their chain (expired on May 30)."

     

    Use ssllab to verify the cert on the web-server. If the cert is expired nothing you can do can get pass that issue. It does NOT matter that you have the cert of the CAs or webserver

     

    https://www.ssllabs.com/ssltest/

     

    If you would like to paste the name of the site we would gladly check for you.

     

    Ken Felix

     

    PCNSE 

    NSE 

    StrongSwan  

    Darkstar
    New Contributor

    So for e.g. its wnp.pl

    There are 3 paths to take, 2 of them are trusted, 1 not. So what happens is browser takes always the incorrect path, fortigate blocks it, and doesnt try two other correct ones?

    collectionchat

    Thank you for the sharing helpful information...there are two ways first is, disable SSL Inspection, second is, waiting that all the websites replace the expired certificate