Hot!Invalid certificate after 6.2.3 upgrade

Author
Robert Cerny
Silver Member
  • Total Posts : 104
  • Scores: 2
  • Reward points: 0
  • Joined: 2008/04/08 01:50:22
  • Status: offline
2020/02/18 23:17:34 (permalink)
0

Invalid certificate after 6.2.3 upgrade

Hi,
I recently upgraded our FG 100E from 5.6.9 to 6.2.3 and suddenly cannot login to admin from WAN because of self signed certificate. I did follow upgrade path, and it was working in 6.2.2 just right. Both Safari and Chrome disallow me to load the page completely, Firefox warns me about self-signed certificate.
I can login fine from LAN using internal IP address. Is it a correct behavior?
 
Thanks
Robert

FG-100C
FG-100A
FW-50B
FG-60C
#1

14 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5769
    • Scores: 375
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Invalid certificate after 6.2.3 upgrade 2020/02/19 01:25:06 (permalink)
    0
    If you managing the FGT via https, the same certificate is used regardless of interface. Did you set an exception in your browser? Or import the selfsigned cert?
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #2
    ShawnZA
    Silver Member
    • Total Posts : 95
    • Scores: 11
    • Reward points: 0
    • Joined: 2018/04/02 23:31:22
    • Location: Cape Town
    • Status: offline
    Re: Invalid certificate after 6.2.3 upgrade 2020/02/19 02:45:04 (permalink)
    0
    Have you tried deleting cookies and site data for that site in your browsers?
     Yes, I know it's the same link.... but had to do that a few times and solved it for me
     
    On Firefox under Privacy and Security  it's called "Cookies and Site Data", then "Manage Data", and find that one link in there, select it and click "Remove Selected"
    #3
    Robert Cerny
    Silver Member
    • Total Posts : 104
    • Scores: 2
    • Reward points: 0
    • Joined: 2008/04/08 01:50:22
    • Status: offline
    Re: Invalid certificate after 6.2.3 upgrade 2020/02/19 03:31:29 (permalink)
    0
    Yeah,
    I know that the same certificate is used on all interfaces but I just re-checked it and I was correct - I can connect on LAN interface using private IP address but not from WAN interface via FQDN. I also removed cookies and trashed installed SSL certificates from this FG. Weird.

    FG-100C
    FG-100A
    FW-50B
    FG-60C
    #4
    emnoc
    Expert Member
    • Total Posts : 5769
    • Scores: 375
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Invalid certificate after 6.2.3 upgrade 2020/02/19 07:01:56 (permalink)
    0
    Than do incognito and retest, also flush SSL states and double check allowaccess, it's the same certificate and if your using the selfSign fortinet cert, than FQDN is not going to help, the cert is untrusted regardless if your coming in from  public or wan. ALso if your using a proxy to get to the puiblic-WAN address that's going to hurt you also depending on the level security and allowances.
     
    The FGT does care regardless if the cert is SelfSigned or not.
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #5
    Jordan_Thompson_FTNT
    optimizzz
    • Total Posts : 489
    • Scores: 18
    • Reward points: 0
    • Joined: 2011/10/17 21:30:20
    • Location: Canada
    • Status: offline
    Re: Invalid certificate after 6.2.3 upgrade 2020/02/19 08:31:10 (permalink)
    5 (1)
    Are you using Chrome on MacOS Catalina? If so, there were some changes to how self signed certificates are trusted. We are looking into a fix on the FortiOS side. It is possible to override the warning in Chrome as well. 
    #6
    emnoc
    Expert Member
    • Total Posts : 5769
    • Scores: 375
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Invalid certificate after 6.2.3 upgrade 2020/02/19 08:38:52 (permalink)
    0
    agreed and you can use  curl to validate the certificate name and details 
     
    curl  -k -v https://x.x.x.x
     
    # x.x.x.x = WAN  or LAN side address
     
    Your problem is your browser, use FF and import the cert and save it as trusted
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #7
    Robert Cerny
    Silver Member
    • Total Posts : 104
    • Scores: 2
    • Reward points: 0
    • Joined: 2008/04/08 01:50:22
    • Status: offline
    Re: Invalid certificate after 6.2.3 upgrade 2020/02/19 11:33:20 (permalink)
    0
    Thanks all

    FG-100C
    FG-100A
    FW-50B
    FG-60C
    #8
    andymemo
    Bronze Member
    • Total Posts : 48
    • Scores: 2
    • Reward points: 0
    • Joined: 2007/05/25 01:20:54
    • Location: Gisborne, NZ
    • Status: offline
    Re: Invalid certificate after 6.2.3 upgrade 2020/03/01 00:46:17 (permalink)
    0
    Jordan_Thompson_FTNT
    Are you using Chrome on MacOS Catalina? If so, there were some changes to how self signed certificates are trusted. We are looking into a fix on the FortiOS side. It is possible to override the warning in Chrome as well. 




    Im using Chrome v80.0.3987.122 on MacOS Catalina and after upgrading to 6.2.3 Im unable to manage my FGT via Chrome using HTTPs, I now have to use Safari. Chrome gives the error:
     
    NET::ERR_CERT_INVALID
     
    You cannot visit 192.168.0.254 at the moment because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.
     
     
    #9
    Jordan_Thompson_FTNT
    optimizzz
    • Total Posts : 489
    • Scores: 18
    • Reward points: 0
    • Joined: 2011/10/17 21:30:20
    • Location: Canada
    • Status: offline
    Re: Invalid certificate after 6.2.3 upgrade 2020/03/02 09:39:25 (permalink)
    0
    There are a few options for this:
    • Install a valid certificate on the FortiGate
    • Use a documented Chrome workaround to bypass the warning by typing "thisisunsafe" at the warning page
    • Use another browser
    In FortiOS 6.2.3, the self signed certificate should also work (with the original overridable warning), however it may require a factory reset on the FortiGate to regenerate it.
    #10
    andymemo
    Bronze Member
    • Total Posts : 48
    • Scores: 2
    • Reward points: 0
    • Joined: 2007/05/25 01:20:54
    • Location: Gisborne, NZ
    • Status: offline
    Re: Invalid certificate after 6.2.3 upgrade 2020/03/02 12:21:14 (permalink)
    0
    Thanks for your reply @Jordan_Thompson_FTNT. My thoughts / feedback on the work arounds...
    • Install cert - yes, valid option, unlikely many people will do this in a single or small multi FortiGate deployment due to cost.
    • Use documented chrome workaround - This isn't an option, since 6.2.3 upgrade there is no 'accept warning and continue' option :(
    • Use another browser - pretty much the only realistic option. 
    • Factory reset a FortiGate - definitely not an option in many cases.
    I appreciate this is not entirely Fortinet's fault as Chrome has its restrictions and other browsers work. Hopefully this is something that is resolved soon - 6.2.4 or 6.4 :)
     
    #11
    Jordan_Thompson_FTNT
    optimizzz
    • Total Posts : 489
    • Scores: 18
    • Reward points: 0
    • Joined: 2011/10/17 21:30:20
    • Location: Canada
    • Status: offline
    Re: Invalid certificate after 6.2.3 upgrade 2020/03/02 13:24:00 (permalink)
    0
    andymemo
    • Use documented chrome workaround - This isn't an option, since 6.2.3 upgrade there is no 'accept warning and continue' option :(



    Although this is true, you can type "thisisunsafe" at that screen and it will allow you to bypass it. Chrome supports this as an option to override the warnings that they show. They do change the phrase from time to time, so keep that in mind.
    #12
    Celio
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/24 07:30:38
    • Status: offline
    Re: Invalid certificate after 6.2.3 upgrade 2020/06/22 07:47:53 (permalink)
    0
    Jordan_Thompson_FTNT
    andymemo
    • Use documented chrome workaround - This isn't an option, since 6.2.3 upgrade there is no 'accept warning and continue' option :(



    Although this is true, you can type "thisisunsafe" at that screen and it will allow you to bypass it. Chrome supports this as an option to override the warnings that they show. They do change the phrase from time to time, so keep that in mind.




    Hello there,
     
    I was searching for a solution for this same problem, FortiOS 6.2.4 and Chrome 83 on macOS Catalina and when getting the "invalid certificate" message, just typing "thisisunsafe" on the Chrome window jumps to the FortiGate login page.
     
    "Knowledge is power"
    #13
    fab138
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/08/05 08:05:45
    • Status: offline
    Re: Invalid certificate after 6.2.3 upgrade 2020/08/05 08:12:32 (permalink)
    0
    Hi All
    I'm new to the community.  I submitted a ticket with Fortinet for this exact problem and the tech had no idea about it and performed all kinds of things to solve the problem.  Celio thanks for the "thisisunsafe" hint.
     
    What I would like to know is if Fortinet has solved this problem yet?  I'm running Fortios 6.2.4 and the problem still exists.  I assume, known issue 597003 (https://docs.fortinet.com/document/fortigate/6.2.4/fortios-release-notes/289806/resolved-issues) is the problem we are running into but I can not find anywhere that this issue is addressed in any of the Fortios 6.4.x releases.
    #14
    localhost
    Gold Member
    • Total Posts : 135
    • Scores: 25
    • Reward points: 0
    • Joined: 2015/05/21 02:47:51
    • Location: Zug, Switzerland
    • Status: offline
    Re: Invalid certificate after 6.2.3 upgrade 2020/08/05 10:08:59 (permalink)
    0
    I don't have this issue.. but replacing the certificate looks like a quick fix to me.
     
    Run this on a Linux Box:
    openssl req -x509 -sha256 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 3650
     
    Import certificate into Fortigate and then change the HTTPS server certificate on the Fortigate gui:
    System -> Settings -> Administration Settings -> HTTPS Server certificate
    #15
    Jump to:
    © 2020 APG vNext Commercial Version 5.5