AnsweredHot!Sudden HTTPS certificate errors - Sectigo AddTrust External CA Root Expiring May 30, 2020

Page: < 12 Showing page 2 of 2
Author
aleg
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/02 16:29:10
  • Status: offline
Re: Sudden HTTPS certificate errors 2020/06/02 16:39:48 (permalink)
0
The web server admin should not have to replace all certs to fix this problem.  The problem is with the inspection method being performed by the Fortigate.
 
When these sites/service are accessed _outside_ of an environment using a Fortigate for SSL inspection, they work.  The error message is coming from the Fortigate.
 
It takes 10 seconds of testing on a mobile phone.  And, maybe 1-2 minutes using https://www.ssllabs.com/ssltest/
 
There are three paths to roots for each of these leaf Sectigo certs:
 
  1. trusts USERTrust CA root cert from an on-board CA certificate store;
  2. is the 'hard-coded' one followed by using a chained cert with intermediate and root specified.  This path leads to an expired AddTrust root CA cert.
  3. follows the intermediate to USERTrust, and requires an additional download of a new CA cert.
 
We're forced to use proxy-based inspection (because flow-based disables web profile overrides).  So, we will be forced to replace all of the bundled certs with leaf-only.  For normal use (not behind a Fortigate), this is unnecessary because the browser will ignore the expired CA and follow the path to the valid CA.
 
If you have public servers/services behind a Fortigate, you can disable the SSL inspection on your outbound policy.  This will make the sites accessible to the public again.
 
 
post edited by aleg - 2020/06/02 17:08:48
#21
lakshman
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/02 11:13:55
  • Status: offline
Re: Sudden HTTPS certificate errors - Sectigo AddTrust External CA Root Expiring May 30, 2 2020/06/02 21:20:19 (permalink)
0
This issue happening in 6.2.x ver.  Untrusted SSL cert blocked by default. Try to create a new SSL inspection policy where you can exempt the website temporarily or allow an untrusted SSL certificate in GUI. 
 
 
 
If I am wrong   - correct me
#22
mcdaniels
Bronze Member
  • Total Posts : 56
  • Scores: 1
  • Reward points: 0
  • Joined: 2013/05/15 05:29:31
  • Status: offline
Re: Sudden HTTPS certificate errors - Sectigo AddTrust External CA Root Expiring May 30, 2 2020/06/03 00:18:00 (permalink)
0
Hi,
well I did not get the point. In my opinion this is a problem of an outdated certificate in the certchain of some websites. (using Sectigo's legacy AddTrust External CA Root certificate).
 
I may be wrong, cause I am no expert in this, but the fortigate reacts correct to this issue, as far as I understand right.
 
Outdated cert -> security issue -> block
 
for example if you test: https://www.ssllabs.com/ssltest/analyze.html?d=www.post.at
 
you can see the outdated cert.
 
The only way to resolve this issue at the moment is to switch to flow mode, or allow invalid ssl certificates in the ssl/ssh protection profiles.
post edited by mcdaniels - 2020/06/03 00:22:18
#23
aleilmago
New Member
  • Total Posts : 7
  • Scores: 2
  • Reward points: 0
  • Joined: 2020/05/31 06:57:10
  • Status: offline
Re: Sudden HTTPS certificate errors - Sectigo AddTrust External CA Root Expiring May 30, 2 2020/06/03 22:42:04 (permalink)
0
Hi.
I agree with mcdaniels.
 
FortiGate reacts correctly to this issue, because that certificate is expired.
In my opinion it's not useful to check certificates and then permit also the expired ones...
 
Best.
Alessandro
#24
sysinit
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/02 02:37:02
  • Status: offline
Re: Sudden HTTPS certificate errors - Sectigo AddTrust External CA Root Expiring May 30, 2 2020/06/05 09:25:35 (permalink)
0
Hi!
 
These certificates are are signed by an Intermediate CA that by itself is signed by multiple Root CAs, one really old ("AddTrust External CA Root", the one that has expired) to be compatible with old devices, and by a current one ("USERTrust RSA Certification Authority"), known by up-to-date devices. So the "solution" to this problem is to discard the really old CA and instead use the certification path to the current Root CA, which is perfectly fine. This is what browsers do and what is possible with other firewall vendors.
 
Best regards,
Daniel
#25
lakshman
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/06/02 11:13:55
  • Status: offline
Re: Sudden HTTPS certificate errors - Sectigo AddTrust External CA Root Expiring May 30, 2 2020/06/05 10:37:55 (permalink)
0
I understood but in My case, the certificate not expired.  based on https://www.ssllabs.com/ssltest/   the particular website rated A+. So I tried to exclude the particular FQDN, but I am not able to add to the exempt list in the SSH profile.  
 
#26
J13224
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/07/11 13:50:23
  • Status: offline
Re: Sudden HTTPS certificate errors - Sectigo AddTrust External CA Root Expiring May 30, 2 2020/09/10 11:33:36 (permalink)
0
I just ran into this for the first time.  While it is a little fuzzy, I'm not sure what the confusion is on who's responsibility it is.  There is an RFC for TLS, and my understanding; feel free to correct me if I am wrong,  is that the RFC allows a certificate to remain valid even if 1 of multiple chains had an expired certification path.  Every modern web browser and OS behaves this way.  
 
"Certificate path validation is done client-side from leaf to root. Modern clients that receive Trust Chain A with the cross signed intermediate (see below) from servers should ignore it and instead follow Trust Chain B. This applies even after the root of Trust Chain A expires on May 30, 2020." - Carnegie Mellon Certificate Authority 
 
So how is this not a Fortigate issue.  It is either compliant behavior or it is not and in this case it appears that Fortigate may not be. 
 
To clarify: I dont' think some people understand that a certificate can have multiple authentication chains to the CA root.  The path you see in your browser is not necessary the only chain it is just the one the particular OS is using.  In this case COMODO/Sectigo has 3 chains and only 1 of the 3 has expired.  Updating the certificate on the host will resolve the issue but a better long term solution would be for the client end (Fortigate) to update the SSL inspection to comply with the more sophisticated modern accepted behavior.  Or if there was a security concern give the FW administrator an option to manually comply with modern behavior and ignore the default behavior when multiple authentication chains are encountered.
 
#27
mcdaniels
Bronze Member
  • Total Posts : 56
  • Scores: 1
  • Reward points: 0
  • Joined: 2013/05/15 05:29:31
  • Status: offline
Re: Sudden HTTPS certificate errors - Sectigo AddTrust External CA Root Expiring May 30, 2 2020/10/07 09:41:02 (permalink)
0
J13224
I just ran into this for the first time.  While it is a little fuzzy, I'm not sure what the confusion is on who's responsibility it is.  There is an RFC for TLS, and my understanding; feel free to correct me if I am wrong,  is that the RFC allows a certificate to remain valid even if 1 of multiple chains had an expired certification path.  Every modern web browser and OS behaves this way.  
 



I am no pro when it comes down to certification-issues. Fortinet-support told me that it is NOT a firewall issue, and the website-owners / webmaster / hoster has to remove the outdated cert. in the chain. I run in this problem quite often. If you have activated SSL logging there are numerous ssl-certification errors (big companies -> microsoft for example...)
post edited by mcdaniels - 2020/10/07 09:45:10
#28
Page: < 12 Showing page 2 of 2
Jump to:
© 2020 APG vNext Commercial Version 5.5