Hot!Chrome Update 58 Breaks FortiAuthenticator CA Certs

Author
theFWdude
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/04 08:53:22
  • Status: offline
2017/04/27 15:09:49 (permalink)
0

Chrome Update 58 Breaks FortiAuthenticator CA Certs

I'm currently leveraging my FAC as a "stand alone" CA server and used it to "Sgin" my Fortigate Web Admin Certificates; however last night my Chrome Browser (and assuming other users) updated and now I get the following error:

This server could not prove that it is myfirewall.mydomain.com; its security certificate is from [missing_subjectAltName]. This may be caused by a misconfiguration or an attacker intercepting your connection
Browser Info: Google Chrome Version 58.0.3029.81 (64-bit)
 
Given that my Gates are not joined to the domain, they do not have a "UPN" or email address so I don't really know how to leverage SAN certificates for them.
 
Just checking to see if anyone else is currently experiencing this issue as well.
#1
theFWdude
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/04 08:53:22
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/04/27 15:12:41 (permalink)
0
I'm guessing this is talking about the FAC's (root) Local CA Cert .. in that case I need to re-create the local CA cert and point it to the FAC UPN since it's joined to the domain?  
#2
emnoc
Expert Member
  • Total Posts : 3997
  • Scores: 219
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/04/27 20:59:53 (permalink)
0
Read your certificate back in via openssl ad see what's present
 
examples
 
openssl x509 -in  <certname> -noout -text
 
and
 
opensssl asnparse -i dump <certname>
 
 
Since your leading to UPN related what does the openssl show?
 
 

PCNSE6,PCNSE7, ACE, CCNP,FCNSP,FCESP,Linux+,CEH,ECSA,SCSA,SCNA,CISCA email/web
#3
ted barker
Bronze Member
  • Total Posts : 31
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/26 14:43:11
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/04/27 21:44:28 (permalink)
0
Chrome 58 requires SAN.

There is a temp workaround (for 1 year), but you have to re-create the certificates.

https://communities.ca.com/thread/241776307


This is from a rddit forum entry:



This update just made my day a nightmare. So much certificates to regenerate, and openssl doesn't have a nice way to specify SAN, had to generate configuration files by script... Any reason to request a SAN field in certificate?

EDIT: just found out it's related to RFC 2818 from year 2000. The identity check on CN seems deprecated to a dNSName in SAN extension.

https://www.reddit.com/r/...ted_warning_for_certs/
post edited by ted barker - 2017/04/27 21:53:51
#4
Ahslan
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/29 07:24:51
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/12 06:37:59 (permalink)
0
Damn! Was just wondering why I was getting cert warning when accessing all of my fortinet appliances :(
The weird thing on top of that was when I try logging into something after the cert warning, I get an error. The error differs from the device I'm trying to access (fortigates indicate that they are unable to connect to the server and fortimanager\fortianalyzer indicate that I do not have permissions to the device). Was a little freaked out by this but then noticed that I was able to log in with no issues if I access the web gui via the IP of the device rather than it's FQDN.....weird
#5
ergotherego
Bronze Member
  • Total Posts : 43
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/09/08 18:37:57
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/12 09:19:57 (permalink)
0
The issue here appears to be that FAC does not support creating certificates using a SAN type of DNS, only URL. Not via the GUI or via CSRs generated manually by OpenSSL.
 
I created a CSR manually following the instructions below and FAC totally ignored my SAN details.
 
http://apetec.com/support/GenerateSAN-CSR.htm
 
Can someone from FortiNet confirm this is the issue, and if/when you can release patch fix for this please?
#6
theFWdude
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/04 08:53:22
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/17 05:25:12 (permalink)
0
We, we've pretty much established that SAN cert creation on the FAC is broken, correct?  FTNT, any recommendations on this issue?  
#7
gsarica
Bronze Member
  • Total Posts : 47
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/07/28 13:23:52
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/17 06:32:29 (permalink)
0
I was able to create a new cert today with a valid SAN field. You're using the proper syntax? Needs to be entered like DNS:XXXXXX or IP:X.X.X.X
 
Edit: Sorry just noticed you were referring to FAC, I was able to generate the new cert on a FGT.
post edited by gsarica - 2017/05/17 06:35:31
#8
tanr
Gold Member
  • Total Posts : 230
  • Scores: 8
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/17 07:56:50 (permalink)
0
Has anybody created a support ticket on this?
#9
theFWdude
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/04 08:53:22
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/17 07:57:49 (permalink)
0
I have one open with FortiTAC.
#10
theFWdude
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/04 08:53:22
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/18 16:40:28 (permalink)
0
Updated my case awaiting to hear back.  Even when the Gate submits the CSR with a "Subject Alternative Name" the .cert is actually missing the SAN portion of the cert.
#11
theFWdude
New Member
  • Total Posts : 9
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/10/04 08:53:22
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/22 06:44:05 (permalink)
0
Anyone else been able to get this working?  I seem to to be getting nowhere with support.
#12
Bromont_FTNT
Platinum Member
  • Total Posts : 541
  • Scores: 41
  • Reward points: 0
  • Joined: 2012/11/19 07:22:36
  • Status: offline
Re: Chrome Update 58 Breaks FortiAuthenticator CA Certs 2017/05/22 06:56:17 (permalink)
0
Looks like this (SAN) will be added to v5, still at least a few weeks away from release.
#13
Jump to:
© 2017 APG vNext Commercial Version 5.5