Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Robert_Cerny
New Contributor II

Invalid certificate after 6.2.3 upgrade

Hi,

I recently upgraded our FG 100E from 5.6.9 to 6.2.3 and suddenly cannot login to admin from WAN because of self signed certificate. I did follow upgrade path, and it was working in 6.2.2 just right. Both Safari and Chrome disallow me to load the page completely, Firefox warns me about self-signed certificate.

I can login fine from LAN using internal IP address. Is it a correct behavior?

 

Thanks

Robert

FG-100C FG-100A FW-50B FG-60C
FG-100C FG-100A FW-50B FG-60C
15 REPLIES 15
emnoc
Esteemed Contributor III

If you managing the FGT via https, the same certificate is used regardless of interface. Did you set an exception in your browser? Or import the selfsigned cert?

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ShawnZA
Contributor II

Have you tried deleting cookies and site data for that site in your browsers?

 Yes, I know it's the same link.... but had to do that a few times and solved it for me

 

On Firefox under Privacy and Security  it's called "Cookies and Site Data", then "Manage Data", and find that one link in there, select it and click "Remove Selected"

Robert_Cerny

Yeah,

I know that the same certificate is used on all interfaces but I just re-checked it and I was correct - I can connect on LAN interface using private IP address but not from WAN interface via FQDN. I also removed cookies and trashed installed SSL certificates from this FG. Weird.

FG-100C FG-100A FW-50B FG-60C
FG-100C FG-100A FW-50B FG-60C
emnoc
Esteemed Contributor III

Than do incognito and retest, also flush SSL states and double check allowaccess, it's the same certificate and if your using the selfSign fortinet cert, than FQDN is not going to help, the cert is untrusted regardless if your coming in from  public or wan. ALso if your using a proxy to get to the puiblic-WAN address that's going to hurt you also depending on the level security and allowances.

 

The FGT does care regardless if the cert is SelfSigned or not.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Jordan_Thompson_FTNT

Are you using Chrome on MacOS Catalina? If so, there were some changes to how self signed certificates are trusted. We are looking into a fix on the FortiOS side. It is possible to override the warning in Chrome as well. 

emnoc
Esteemed Contributor III

agreed and you can use  curl to validate the certificate name and details 

 

curl  -k -v https://x.x.x.x

 

# x.x.x.x = WAN  or LAN side address

 

Your problem is your browser, use FF and import the cert and save it as trusted

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Robert_Cerny
New Contributor II

Thanks all

FG-100C FG-100A FW-50B FG-60C
FG-100C FG-100A FW-50B FG-60C
andymemo

Jordan_Thompson_FTNT wrote:

Are you using Chrome on MacOS Catalina? If so, there were some changes to how self signed certificates are trusted. We are looking into a fix on the FortiOS side. It is possible to override the warning in Chrome as well. 

Im using Chrome v80.0.3987.122 on MacOS Catalina and after upgrading to 6.2.3 Im unable to manage my FGT via Chrome using HTTPs, I now have to use Safari. Chrome gives the error:

 

NET::ERR_CERT_INVALID

 

You cannot visit 192.168.0.254 at the moment because the website sent scrambled credentials that Google Chrome cannot process. Network errors and attacks are usually temporary, so this page will probably work later.

 

 

Jordan_Thompson_FTNT

There are a few options for this:

[ul]
  • Install a valid certificate on the FortiGate
  • Use a documented Chrome workaround to bypass the warning by typing "thisisunsafe" at the warning page
  • Use another browser[/ul]

    In FortiOS 6.2.3, the self signed certificate should also work (with the original overridable warning), however it may require a factory reset on the FortiGate to regenerate it.

  • Labels
    Top Kudoed Authors