- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: problems with certificate inspection
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
website access problems
good afternoon colleagues, a question.
In the morning we had some problems with access to some pages that I could access normally.
In order to pass the certificate analysis I had to enter the rule and in the SSL INSPETION section change from certificate-inspection to no inspection until the page loads without problems and then return to certificate-inspection.
This problem has been occurring with other pages that were previously accessed.
the connection is not private
It is possible that attackers are trying to steal your information from xxxxx.com
(for example, passwords, messages or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID
It is worth mentioning that when you enter through another network, for example, a cellular data network or a home network, if you can access the page and the message "it is not secure" does not appear.
Do you know why this happens?
It is worth mentioning that the certificate of the page expires in 2024 so there should be no problem.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The error message "NET::ERR_CERT_AUTHORITY_INVALID" typically occurs in web browsers like Google Chrome and Mozilla Firefox when there is an issue with the SSL/TLS certificate of a website.
When the browser encounters an invalid certificate authority, it means that the SSL/TLS certificate presented by the website cannot be verified with a trusted certificate authority. There are a few common reasons why this error might occur:
1) Expired or Invalid Certificate: The SSL/TLS certificate may have expired or is otherwise considered invalid by the browser.
2) Self-Signed Certificate: The website is using a self-signed certificate instead of one issued by a recognized certificate authority. Self-signed certificates are not trusted by default in most browsers.
3) Mismatched Domain: The certificate is issued for a different domain or subdomain than the one you are trying to access, causing a domain mismatch.
4) Misconfigured Certificate Chain: The certificate chain provided by the server is incomplete or not properly configured.
5) Untrusted Certificate Authority: The certificate authority that issued the certificate is not recognized or trusted by the browser.
6) Root Certificate Updates: Sometimes, a user's browser may need updates to its root certificate store, which contains the list of trusted certificate authorities.
So, please confirm by installing the certificate on the client machine and allowing it to trust it initially, this will clarify you to narrow down the issue.
Regards,
Kruthi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
When FortiGate cannot successfully authenticate the server certificate (i.e. untrusted root CA, expired, self-signed certificate) it will present the CA certificate configured via set untrusted-caname in the SSL inspection profile (default CA certificate name: Fortinet_CA_Untrusted).
In some cases, HTTPS websites using server certificates issued by Entrust will encounter an untrusted root CA warning because the specified Entrust root CA certificate in the server certificate's chain of trust is not in FortiGate's Trusted CA list (see Security Profiles -> SSL/SSH Inspection -> View Trusted CAs List on FGT).
The issue is that the HTTP site's server certificate was issued by an intermediate CA associated with a specific Entrust root CA certificate that has been deemed invalid because of an invalid certificate property. Since this Entrust root CA certificate is invalid, it's not trusted by all browsers.
This issue can be confirmed by using the URL of the affected HTTPS site with an online SSL checker website like SSL Labs' SSL Server Test (https://www.ssllabs.com/ssltest/) or SSL Shopper's SSL Checker (https://www.sslshopper.com/ssl-checker.html), and observing the checker's result that the certificate chain is incomplete or the certificate is not trusted in all browsers.
Regards
Priyanka
- « Previous
-
- 1
- 2
- Next »
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi @unknown1020 ,
As per your configuration, the profile is enabled to inspect the certificate and the error is expected as the system is not able to validate the CA for the certificate.
Can you request the CA certificate from the site owner and add it to Fortigate (upload option is there under certificates).
Technically the error you are seeing is good, because that way you know which all connections can be problematic. In this scenario, you know the certificate is valid, but if you disable this check and if some other site uses invalid certificate you will not be noticing the same and it may create security risks.
edit "certificate-inspection"
set comment "Read-only SSL handshake inspection profile."
config https
set ports 443
set status certificate-inspection
end
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
When FortiGate cannot successfully authenticate the server certificate (i.e. untrusted root CA, expired, self-signed certificate) it will present the CA certificate configured via set untrusted-caname in the SSL inspection profile (default CA certificate name: Fortinet_CA_Untrusted).
In some cases, HTTPS websites using server certificates issued by Entrust will encounter an untrusted root CA warning because the specified Entrust root CA certificate in the server certificate's chain of trust is not in FortiGate's Trusted CA list (see Security Profiles -> SSL/SSH Inspection -> View Trusted CAs List on FGT).
The issue is that the HTTP site's server certificate was issued by an intermediate CA associated with a specific Entrust root CA certificate that has been deemed invalid because of an invalid certificate property. Since this Entrust root CA certificate is invalid, it's not trusted by all browsers.
This issue can be confirmed by using the URL of the affected HTTPS site with an online SSL checker website like SSL Labs' SSL Server Test (https://www.ssllabs.com/ssltest/) or SSL Shopper's SSL Checker (https://www.sslshopper.com/ssl-checker.html), and observing the checker's result that the certificate chain is incomplete or the certificate is not trusted in all browsers.
Regards
Priyanka
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks friend for your answer. Check the URL and I get the following: " The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GlobalSign's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates." So it's a problem on the same page right? To avoid those messages, what option should I disable in the certificate-inspection profile so that when accessing those pages I don't get those messages. ??
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
May I know if you have enabled any security profiles in the Policy?
If yes, you may try to keep the inspection mode to certificate inspection and try to disable one security policy at a time and try accessing the web-site.
This way, we may be able to isolate if any filter is causing any issue.
BR,
Manosh
- « Previous
-
- 1
- 2
- Next »
Related Posts
- Virtual server and SSL inspection 116 Views
- vivaldi browser wont reach any webpage 797 Views
- Connection from VLAN to VIP does... 346 Views
- What might be the cause of... 293 Views
- IPsec phase1 negotiation failes due to... 334 Views
Labels
-
FortiGate
6,768 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
581 -
FortiAnalyzer
425 -
6.0
416 -
5.6
362 -
FortiSwitch
347 -
FortiAP
346 -
FortiClient EMS
274 -
FortiMail
263 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
162 -
6.4
128 -
FortiNAC
113 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
69 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
41 -
Fortivoice
41 -
FortiGate v5.4
34 -
FortiDNS
34 -
SD-WAN
34 -
FortiExtender
33 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
High Availability
24 -
FortiConnect
24 -
FortiAuthenticator
23 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
FortiMonitor
14 -
BGP
14 -
DNS
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
LDAP
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Fortigate Cloud
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.