AnsweredHot!Sudden HTTPS certificate errors - Sectigo AddTrust External CA Root Expiring May 30, 2020

Page: 12 > Showing page 1 of 2
Author
jerem42
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/05/31 02:36:03
  • Status: offline
2020/05/31 02:39:06 (permalink) 6.2
0

Sudden HTTPS certificate errors - Sectigo AddTrust External CA Root Expiring May 30, 2020

Hi,

I have a FortiGate 50E running v6.2.4build1112

The following issue occurs with different browers (FF, Chrome, Safari) and also on different platforms (Win,OSX,iOS,Android)

For the last 24h I have suddently started receiving certifiacte errors on various websites which have worked flawlessly before.
I get the typical HTTPS warning in my Browser (e.g. "Your connection is not private" in Chrome) and the exact error message is "NET::ERR_CERT_AUTHORITY_INVALID".

Interestingly if I look at the certificate details it shows "Fortinet Untrusted CA" as the issuer.
If I access these sites via mobile data these pages work fine and also the issuer is shown as a know institution (in all cases noticed so far it's "Sectigo").

In the SSL Logs I see "blocked" actions for the respective website:
Message: Server certificate blocked
Reason:    block-cert-invalid
Type:    utm
Sub Type:    ssl
Event Type:    ssl-anomalies

These actions are triggered by the Standard FortiGate pre-configured SSL/SSH Inspection profile "certificate-inspection" (SSL handshake inspection.)

Any ideas what could be the reason for this sudden new behavior or how I could trouble shoot?
Thanks in advance for any help!


post edited by jerem42 - 2020/05/31 05:20:24
#1
jerem42
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/05/31 02:36:03
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/05/31 05:19:45 (permalink)
0
Seems to me this is related to the "Sectigo AddTrust External CA Root" expiring yesterday May 30, 2020
https://support.sectigo.com/articles/Knowledge/Sectigo-AddTrust-External-CA-Root-Expiring-May-30-2020
 
Will there be an update for this or how could I resolve this?
Thanks
#2
aleilmago
New Member
  • Total Posts : 7
  • Scores: 2
  • Reward points: 0
  • Joined: 2020/05/31 06:57:10
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/05/31 07:00:20 (permalink)
0
Hello.
 
In my opinion, there are two ways:
  • disable SSL Inspection
  • waiting that all the websites replace the expired certificate
Read this:
https://sectigo.com/resou...-what-you-need-to-know
It seems that the modern web browser are not affected by this expired certicate, but this doesn't like to FortiGate SSL Inspection (and probably it's right, because it's an expired certificate).
 
Best.
Alessandro
#3
emnoc
Expert Member
  • Total Posts : 5732
  • Scores: 371
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/05/31 09:00:41 (permalink)
0
We issue the certificates for the website is the fix. The browsers are probably caching the ssl-cert-chain. If you use incognito , curl, or gnutls, you will probably see the error much clearier
 
 
Ken Felix

PCNSE 
NSE 
StrongSwan  
#4
jerem42
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/05/31 02:36:03
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/05/31 10:48:35 (permalink)
0
Thanks for the answer.
Just to help me understand a little bit better what to do:
"We issue the certificates for the website is the fix" means there will be an Update to Fortinets Trusted CAs List?
Thanks!
#5
aleilmago
New Member
  • Total Posts : 7
  • Scores: 2
  • Reward points: 0
  • Joined: 2020/05/31 06:57:10
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/05/31 11:25:18 (permalink)
0
The problem is the website that you visit.
Please try to check the websites that give you the error:
https://www.sslshopper.com/ssl-checker.html
 
The problem is that those websites have an expired certificate in their chain (expired on May 30).
 
The owners of the websites must replace the expired certificate and so FortiGates can detect the right chain: you can't solve this problem on your side, unless you disable the SSL Inspection.
 
I'm sure, because I have replaced these expired certificates on some websites and the problem is now solved on these websites.
 
Best.
Alessandro
#6
Darkstar
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/04/02 22:46:21
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/06/01 02:46:26 (permalink)
0
I'm in doubt, that problem is only on webserver side. According to this article:
https://support.sectigo.com/Com_KnowledgeDetailPage?Id=kA01N000000rgSZ
 
User-client should use secondary path to make the auth work. In fortigate I have both the expired cert
AddTrust External CA Root
and the new or secondary one. So should we realy wait? Or install something manualy? :)
 
#7
emnoc
Expert Member
  • Total Posts : 5732
  • Scores: 371
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/06/01 03:34:29 (permalink) ☼ Best Answerby jerem42 2020/06/01 05:44:07
5 (2)
To repeat what was said earlier
 
"The problem is that those websites have an expired certificate in their chain (expired on May 30)."
 
Use ssllab to verify the cert on the web-server. If the cert is expired nothing you can do can get pass that issue. It does NOT matter that you have the cert of the CAs or webserver
 
https://www.ssllabs.com/ssltest/
 
If you would like to paste the name of the site we would gladly check for you.
 
Ken Felix
 

PCNSE 
NSE 
StrongSwan  
#8
Darkstar
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/04/02 22:46:21
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/06/01 04:02:17 (permalink)
0
So for e.g. its wnp.pl
There are 3 paths to take, 2 of them are trusted, 1 not. So what happens is browser takes always the incorrect path, fortigate blocks it, and doesnt try two other correct ones?
#9
collectionchat
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/01 04:33:51
  • Location: United States
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/06/01 04:54:33 (permalink)
0
Thank you for the sharing helpful information...there are two ways first is, disable SSL Inspection, second is, waiting that all the websites replace the expired certificate
#10
jerem42
New Member
  • Total Posts : 5
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/05/31 02:36:03
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/06/01 07:29:15 (permalink)
0
emnoc
To repeat what was said earlier
 
"The problem is that those websites have an expired certificate in their chain (expired on May 30)."
 
Use ssllab to verify the cert on the web-server. If the cert is expired nothing you can do can get pass that issue. It does NOT matter that you have the cert of the CAs or webserver
 
https://www.ssllabs.com/ssltest/
 
If you would like to paste the name of the site we would gladly check for you.
 
Ken Felix
 




Thank you, I understand.

Can you just explain shortly or guide me to understand what's the difference that these sites work in the main browsers if I am on my mobile data plan for example. Thanks!
#11
mvonhatten
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2014/12/01 12:38:00
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/06/01 09:13:38 (permalink)
0
Are you using proxy-based inspection mode?
#12
Kevin Shanus
New Member
  • Total Posts : 13
  • Scores: 3
  • Reward points: 0
  • Joined: 2014/05/15 04:56:43
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/06/01 10:20:44 (permalink)
0
How can this make sense?
support.sectigo.com = Old Cert
sectigo.com = New Cert
#13
aleilmago
New Member
  • Total Posts : 7
  • Scores: 2
  • Reward points: 0
  • Joined: 2020/05/31 06:57:10
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/06/01 11:06:02 (permalink)
0
Kevin,
I have already informed Sectigo about support.sectigo.com, but they have replied me that there is no issue:
[...] I don’t see any issue with our certificate. Thank you anyway for your email. [...]).
 
My idea after that I have informed some owners of the websites with expired certificate: Fortinet should find another solution, because in my personal opinion the owners of the websites will not replace the expired certificate soon.
In fact Sectigo officially writes that it's not mandatory to replace the certificate, because the new browsers/clients are able to "exclude" the expired certificate.
I don't agree with this theory: I replace the expired certificates with valid certificates.
 
Best.
Alessandro
#14
aleilmago
New Member
  • Total Posts : 7
  • Scores: 2
  • Reward points: 0
  • Joined: 2020/05/31 06:57:10
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/06/01 11:14:03 (permalink)
5 (1)
Hi.
 
Temporary workaround (also if I don't like it): create a new SSL/SSH Inspection profile with "Validation failed certificates" allowed.
I don't like it, but there are too many websites with this expired certificate.
 
Best.
Alessandro
#15
SomeDude101
New Member
  • Total Posts : 1
  • Scores: 4
  • Reward points: 0
  • Joined: 2020/06/01 13:13:02
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/06/01 13:19:54 (permalink) ☄ Helpfulby tanr 2020/06/02 07:53:01
5 (2)
I just registered for an account so that I could weigh in here. I'm actually not a Fortigate customer but I'm using a competing product with SSL inspection and I've been battling this same problem all day. If you're doing SSL inspection and you care about the integrity of website security the only way to correct this is to contact website owners. I've been doing this all day and successfully resolved the issue with many websites. I provide the website owners with a Qualys SSL Server Test report showing the expired certificates, explain the problem it's causing, and kindling request that they remove the expired certificates from their certificate chain. Removing the expired certificates form the chain resolves the issue and causes no detriment that I can see.
#16
alex.valenzuela
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/01 18:37:17
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/06/01 18:38:58 (permalink)
0
Is there a way for the firewall to make SSL inspection exceptions for some sites?
 
this site.. https://sistema.contpaqi.com/loginContpaqi/Login, if I open it on Firefox and check the certificate chains, all are valid.
But when we enable Fortinet SSL inspection it fails...
 
Its not clear to me, why fortinet is failing some sites, that check ok with firefox, chrome, edge..
 
 
 
 
 
 
post edited by alex.valenzuela - 2020/06/02 09:37:00
#17
sysinit
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/02 02:37:02
  • Status: offline
Re: Sudden HTTPS certificate errors - Sectigo AddTrust External CA Root Expiring May 30, 2 2020/06/02 02:52:45 (permalink)
0
Hi!
 
I am new to Fortinet, but with other vendors you simply delete or at least deactivate the expired root certificate from the firewall, so that another certificate chain path is chosen. But on my FortiGate, I only can see a very short list of locally installed certificates, so I am not sure if there is at all the possibility to influence the used root certificates in any way.
 
Kind regards,
Daniel
#18
Kevin Shanus
New Member
  • Total Posts : 13
  • Scores: 3
  • Reward points: 0
  • Joined: 2014/05/15 04:56:43
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/06/02 04:24:50 (permalink)
0
alex.valenzuela
Is there a way for the firewall to make SSL inspection exceptions for some sites?




There are two ways that I know of:
1 - You can create a new IPv4 Policy with SSL Inspection set to no-inspection and for destination put the site addresses you don't want inspected. 
 
2 - I know with deep packet inspection you can add addresses to the Exempt list in its profile. 
 
A temporary work around is to select "Allow invalid SSL certificates" under Common Options but I think if we collectively do what SomeDude101 said it will help resolve this problem quicker and properly. 
#19
Admin_FTNT
Administrator
  • Total Posts : 91
  • Scores: 6
  • Reward points: 0
  • Joined: 2003/11/28 00:00:00
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/06/02 14:53:12 (permalink) ☄ Helpfulby aleg 2020/06/02 16:30:11
5 (1)
You may like to check the article at https://kb.fortinet.com/k...amp;externalId=FD49028
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2020 APG vNext Commercial Version 5.5