Hot!Fortiauthenticator 6.01

Author
François
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/03/17 05:12:30
  • Status: offline
2020/09/09 23:37:04 (permalink)
0

Fortiauthenticator 6.01

Dear all,
Since 18 months i use Fortiauthenticator 6.01 without trouble but since few days Fortiauthenticator can't send email with Office365.
I open a ticket but at this time no solution to fix it.
The error message is :
"smtp starttls: verify peer certificate: unable to get local issuer certificate"
and the second:
"smtp mail: failed send to aaaaaa.bbbbbb@soxxxxx.com via smtp.office365.com:587"
 
I deleted certificate Office365 and i created a new but no good result. 
To create certificate i exported root certificate X.509 Base 64.cer and i exported intermediate certificate in the same format. I created a new text file and i put root certificate and intermediate certificate inside the text file.
I imported in fortiauthenticator.
 
I try another method for certificate, import directly root certificate and second step import directly intermediate certificate. Same trouble.
I don't understand where is the problem and i don't understand why the error message speak about "unable to get local issuer certificate" why Local ? in my brain i think it's a remote certificate.
 
Thank you for your help and sorry for my english :)
 
Best regards,
François
#1

3 Replies Related Threads

    xsilver
    Expert Member
    • Total Posts : 539
    • Scores: 135
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Fortiauthenticator 6.01 2020/09/10 02:13:01 (permalink)
    5 (1)
    Hi,
    it might happened that office365 change their certs and/or even root CA.
    I'm not sure at the moment. But it has then nothing to do with FAC (FortiAuthenticator) as that could not be foreseen on FAC side.
    I would suggest to follow those steps to check situation:
     
    1. check certs of office365 via attempt to open STARTTLS conenction :
    run: openssl s_client -starttls smtp -connect smtp.office365.com:587 -crlf
     
    example output I got right now (2020-09-10@11:10 GMT+0200):
    ---
    $openssl s_client -starttls smtp -connect smtp.office365.com:587 -crlf
    CONNECTED(00000003)
    depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G3
    verify error:num=20:unable to get local issuer certificate
    ---
    Certificate chain
    0 s:C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
    i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G3
    1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G3
    i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIIqzCCB5OgAwIBAgIMbeoL4ZcnYKFZsYVgMA0GCSqGSIb3DQEBCwUAMGYxCzAJ
    BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTwwOgYDVQQDEzNH
    bG9iYWxTaWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBIC0gU0hBMjU2IC0g
    RzMwHhcNMjAwODEzMjMxODQ5WhcNMjIwODE0MjMxODQ5WjBqMQswCQYDVQQGEwJV
    UzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEeMBwGA1UE
    ChMVTWljcm9zb2Z0IENvcnBvcmF0aW9uMRQwEgYDVQQDEwtvdXRsb29rLmNvbTCC
    ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMkgP1e5+XGqPGoKXT/JjZml
    UCYlTtxpUrMzcOdyooOSVNHUhhXyxGX4vOXSHhIlnnWOd9KOlMoDS/TIyuPjm2aj
    oTd0zP7EHmTc4xi6wXs5W7FH6RGS7+7mCM2TewnHOf7l4kc/aHikF3gTyxI4nYkr
    H3Wbh11T/LAqry2GinY7zl6uQ3Rowyi/EC/d2UNLLabcH22Q0M4UHmzcewbke6mB
    QO3eGLffU2G8GIMRx7Qbme8U5GM541wv54lYW9oDOjmWispP2ONsf27T5zA0nNuL
    6GqmCHcdY9ZXnc2nRwU5lnv9mgmZ70mxiQK+T7jvoAQpdPuafp2oEPt+sGxgT1cC
    AwEAAaOCBVMwggVPMA4GA1UdDwEB/wQEAwIFoDCBngYIKwYBBQUHAQEEgZEwgY4w
    SwYIKwYBBQUHMAKGP2h0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5jb20vY2FjZXJ0
    L2dzb3JnYW5pemF0aW9udmFsc2hhMmczLmNydDA/BggrBgEFBQcwAYYzaHR0cDov
    L29jc3AyLmdsb2JhbHNpZ24uY29tL2dzb3JnYW5pemF0aW9udmFsc2hhMmczMFYG
    A1UdIARPME0wQQYJKwYBBAGgMgEUMDQwMgYIKwYBBQUHAgEWJmh0dHBzOi8vd3d3
    Lmdsb2JhbHNpZ24uY29tL3JlcG9zaXRvcnkvMAgGBmeBDAECAjAJBgNVHRMEAjAA
    MEYGA1UdHwQ/MD0wO6A5oDeGNWh0dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3Nv
    cmdhbml6YXRpb252YWxzaGEyZzMuY3JsMIICEAYDVR0RBIICBzCCAgOCC291dGxv
    b2suY29tghYqLmNsby5mb290cHJpbnRkbnMuY29tgg0qLmhvdG1haWwuY29tghYq
    LmludGVybmFsLm91dGxvb2suY29tggoqLmxpdmUuY29tghYqLm5yYi5mb290cHJp
    bnRkbnMuY29tggwqLm9mZmljZS5jb22CDyoub2ZmaWNlMzY1LmNvbYINKi5vdXRs
    b29rLmNvbYIXKi5vdXRsb29rLm9mZmljZTM2NS5jb22CG2F0dGFjaG1lbnQub3V0
    bG9vay5saXZlLm5ldIIdYXR0YWNobWVudC5vdXRsb29rLm9mZmljZS5uZXSCIGF0
    dGFjaG1lbnQub3V0bG9vay5vZmZpY2VwcGUubmV0ghZhdHRhY2htZW50cy5vZmZp
    Y2UubmV0ghphdHRhY2htZW50cy1zZGYub2ZmaWNlLm5ldIIdY2NzLmxvZ2luLm1p
    Y3Jvc29mdG9ubGluZS5jb22CIWNjcy1zZGYubG9naW4ubWljcm9zb2Z0b25saW5l
    LmNvbYILaG90bWFpbC5jb22CFm1haWwuc2VydmljZXMubGl2ZS5jb22CDW9mZmlj
    ZTM2NS5jb22CEm91dGxvb2sub2ZmaWNlLmNvbYIUc3Vic3RyYXRlLm9mZmljZS5j
    b22CGHN1YnN0cmF0ZS1zZGYub2ZmaWNlLmNvbTAdBgNVHSUEFjAUBggrBgEFBQcD
    AQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUaIa4fXrZbUlrhy8YixU0bNe0eg4wHQYD
    VR0OBBYEFIp8c0RwqE2DJW+mU9pCUpbJFXEhMIIBfAYKKwYBBAHWeQIEAgSCAWwE
    ggFoAWYAdgAiRUUHWVUkVpY/oS/x922G4CMmY63AS39dxoNcbuIPAgAAAXPqHn0v
    AAAEAwBHMEUCIQD0UI/nOMl60ff3acUF6o4DgCyHBgO2m+algy+5r3u0rAIgUaaP
    6OVsp/8WAX4VQhEx3NzHN3xkLKzdQrs8eTF0zJ0AdQApeb7wnjk5IfBWc59jpXfl
    vld9nGAK+PlNXSZcJV3HhAAAAXPqHnqnAAAEAwBGMEQCIAPxGdcPL8SphKAz1Ham
    7vGu4APnrphDF7AP+xK7E9o0AiAQ5qkdixxk1Mn3wD08d0mxCD0dXjT52RB8dGsY
    xl5tBwB1AFWB1MIWkDYBSuoLm1c8U/DA5Dh4cCUIFy+jqh0HE9MMAAABc+oefa4A
    AAQDAEYwRAIgJiFk26biPTJ9n6iutym3QptJqvWlwBIBobbn8gHUL0UCIE4Zukd1
    i0nXS7oEYt2it2sF0AEffDYXJymyFxx/EIGKMA0GCSqGSIb3DQEBCwUAA4IBAQAm
    9KN3HdyexBqIIzCM4RT5Yg6/rSTJq6vQaIu88ewc0Jat+V/d4O6o4Cw6GaVoDG7+
    5oDOoztsAIhcvzzYaAg2uZ6Em1+X+3fqcvtzRwCwqHxkOPHMwClxZ2V2TIBYl8hi
    Yz7xPsAOSF9VIY+WaL1BFHoLjDFbOayjoJlYJPrZGTIcny2p7bmXpGYwKdiCovX8
    bRDxrB0/+96hDraEkNRVXCEbHyFFksWaRwUPuBx4brlro6mNsVn/9OZxdzgS/kGP
    BJIIPzIqkl4Ke34E7iQQOfOsXgSTkaKPkAQzXFyUs4ArQ7/jdGQg9ACybHuod/t0
    Nc7dtl+DGMTnMRqNMA3E
    -----END CERTIFICATE-----
    subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
    issuer=C = BE, O = GlobalSign nv-sa, CN = GlobalSign Organization Validation CA - SHA256 - G3
    ---
    No client certificate CA names sent
    Client Certificate Types: RSA sign, DSA sign, ECDSA sign
    Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
    Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
    Peer signing digest: SHA256
    Peer signature type: RSA
    Server Temp Key: ECDH, P-384, 384 bits
    ---
    SSL handshake has read 4289 bytes and written 523 bytes
    Verification error: unable to get local issuer certificate
    ---
    New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
    Protocol : TLSv1.2
    Cipher : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 752700007D7CD576813827FEEFAE411C690BA3FB38E19E7BE9A3CDCF03694139
    Session-ID-ctx:
    Master-Key: 092660AE886FEC3E6AFCA59BF01A33317FACED7BA9C71A01F5DBB611009898F8ED37C143FB51ECCCBEB914A8226B5057
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1599728137
    Timeout : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
    ---
    250 SMTPUTF8
    DONE
     
     
    2. add GlobalSign Root CA - R1 as truster outer root CA cert into FAC
     
    3. test emails (I guess you kept mail service settings intact, so we just added right cert from top of the chain as trusted).
     
    4. if it is still not working, then visit support.fortinet.com and open technical trouble ticket with TAC and one of the engineers will assist you.
     

    Kind Regards,
    Tomas
    #2
    François
    New Member
    • Total Posts : 15
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/17 05:12:30
    • Status: offline
    Re: Fortiauthenticator 6.01 2020/09/11 01:22:43 (permalink)
    0
    Dear Tomas,
     
    Thank you for all informations you gave me.
    With this information i found the trouble and fix it.
     
    When i setup the Fortiauthenticator in june 2019 i imported certifcate.
    At the begin of the certificate i added root certificate and just after i added intermediate certificate.
     
    Today i did with another process. 
    I search with google : GlobalSign Root CA - R1 and i found 

    GlobalSign Root CA - R1

    Expected page status: Valid

    CN=GlobalSign Root CA
    OU=Root CA
    O=GlobalSign nv-sa
    C=BE
    Serial number=04 00 00 00 00 01 15 4b 5a c3 94
    Valid from=01 September 1998
    Valid to=28 January 2028
    Download url=http://secure.globalsign.com/cacert/root-r1.crt

    Base64

    -----BEGIN CERTIFICATE-----
    MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
    A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
    b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw
    MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
    YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
    aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
    jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
    xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz8kHp
    1Wrjsok6Vjk4bwY8iGlbKk3Fp1S4bInMm/k8yuX9ifUSPJJ4ltbcdG6TRGHRjcdG
    snUOhugZitVtbNV4FpWi6cgKOOvyJBNPc1STE4U6G7weNLWLBYy5d4ux2x8gkasJ
    U26Qzns3dLlwR5EiUWMWea6xrkEmCMgZK9FGqkjWZCrXgzT/LCrBbBlDSgeF59N8
    9iFo7+ryUp9/k5DPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8E
    BTADAQH/MB0GA1UdDgQWBBRge2YaRQ2XyolQL30EzTSo//z9SzANBgkqhkiG9w0B
    AQUFAAOCAQEA1nPnfE920I2/7LqivjTFKDK1fPxsnCwrvQmeU79rXqoRSLblCKOz
    yj1hTdNGCbM+w6DjY1Ub8rrvrTnhQ7k4o+YviiY776BQVvnGCv04zcQLcFGUl5gE
    38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
    AbEVtQwdpf5pLGkkeB6zpxxxYu7KyJesF12KwvhHhm4qxFYxldBniYUr+WymXUad
    DKqC5JlR3XC321Y9YeRq4VzW9v493kHMB65jUr9TU/Qr6cf9tveCX4XSQRjbgbME
    HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
    -----END CERTIFICATE-----

    I imported this certificate and now all is working fine.

    Thank you a lot for time you take to help me.

    Best regards,
    François
    #3
    xsilver
    Expert Member
    • Total Posts : 539
    • Scores: 135
    • Reward points: 0
    • Joined: 2015/02/02 03:22:58
    • Location: EMEA
    • Status: offline
    Re: Fortiauthenticator 6.01 2020/09/13 22:51:53 (permalink)
    0
    Hi François,
     
    good to hear you fixed it.
    If my answer helped you, give it a stars.
     

    Kind Regards,
    Tomas
    #4
    Jump to:
    © 2020 APG vNext Commercial Version 5.5