Sudden HTTPS certificate errors - Sectigo AddTrust External CA Root Expiring May 30, 2020
I have a FortiGate 50E running v6.2.4build1112
The following issue occurs with different browers (FF, Chrome, Safari) and also on different platforms (Win,OSX,iOS,Android)
For the last 24h I have suddently started receiving certifiacte errors on various websites which have worked flawlessly before.
I get the typical HTTPS warning in my Browser (e.g. "Your connection is not private" in Chrome) and the exact error message is "NET::ERR_CERT_AUTHORITY_INVALID".
Interestingly if I look at the certificate details it shows "Fortinet Untrusted CA" as the issuer.
If I access these sites via mobile data these pages work fine and also the issuer is shown as a know institution (in all cases noticed so far it's "Sectigo").
In the SSL Logs I see "blocked" actions for the respective website:
Message: Server certificate blocked
Sub Type: ssl
Event Type: ssl-anomalies
These actions are triggered by the Standard FortiGate pre-configured SSL/SSH Inspection profile "certificate-inspection" (SSL handshake inspection.)
Any ideas what could be the reason for this sudden new behavior or how I could trouble shoot?
Thanks in advance for any help!
I just registered for an account so that I could weigh in here. I'm actually not a Fortigate customer but I'm using a competing product with SSL inspection and I've been battling this same problem all day. If you're doing SSL inspection and you care about the integrity of website security the only way to correct this is to contact website owners. I've been doing this all day and successfully resolved the issue with many websites. I provide the website owners with a Qualys SSL Server Test report showing the expired certificates, explain the problem it's causing, and kindling request that they remove the expired certificates from their certificate chain. Removing the expired certificates form the chain resolves the issue and causes no detriment that I can see.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.