Hot!WCF SSL Certificate Errors

Author
kphed
Bronze Member
  • Total Posts : 30
  • Scores: 5
  • Reward points: 0
  • Status: offline
2021/09/30 08:28:41 (permalink)
0

WCF SSL Certificate Errors

Is anyone suddenly receiving certificate errors?  A large number of customers are reporting certificate errors when browsing exempted/trusted domains.  The SSL logs in the GUI show, "Server certificate blocked".
#1

19 Replies Related Threads

    recha
    Bronze Member
    • Total Posts : 25
    • Scores: 0
    • Reward points: 0
    • Joined: 2012/05/21 05:24:15
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 08:37:19 (permalink)
    0
    Hello, 
     
    I confirm, since 4:01 PM, i guess it's linked to the identrust expiration...
    If you bypass the web filtering, no issue... but it's not a solution....
     
    for information:
    https://scotthelme.co.uk/...t-old-root-expiration/
    #2
    Brimstar
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/09/30 08:42:59
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 08:45:00 (permalink)
    0
    Talked to support.  They've confirmed they're working on it, but it is an issue with the Identrust expiration.  Probably going to turn off the expired cert filter.  I think that's about all we can do for now.
    #3
    mikeworking
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2014/11/20 15:18:40
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 08:50:39 (permalink)
    0
    I just got off the phone with support.
     
    Known issue.
     
    Switch to Flow Based on your client policy (not Proxy) and that is a temp fix.
     
    No ETA but support is on it.
    #4
    nicoco59
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/03/26 04:54:58
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 09:04:26 (permalink)
    0
    Hello,
     
    You can check the box "allow invalid certificate" in the proxy SSL feature or configure the rule in flow based mode :(
    But that's insane to do that on all ou fortigates we manage :/
     
    Nicolas
     
    #5
    WesMasterson
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/09/30 09:09:01
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 09:11:03 (permalink)
    0
    I think it has something to do with
     
    DST Root CA X3 that expired today, but I haven't found a work around for it.
    #6
    evertjanP
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/02/11 00:59:25
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 09:20:50 (permalink)
    0
    Same here, with Lets Encrypt certificates.
    #7
    jm75
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/25 12:51:20
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 09:48:50 (permalink)
    0
    Hello,
     
    Maybe blocked sites when using a Let's Encrypt certificate?
     
    https://docs.certifytheweb.com/docs/kb/kb-202109-letsencrypt/
    https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/ (site not accessible with this  expired certificate problem)
     
    I don'k know the good solution.
    Defaut SSL/SSH inspection with the default "certificate-inspection" policy blocks the expired certificate.
     
    J.
    #8
    Brimstar
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/09/30 08:42:59
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 09:52:37 (permalink)
    0
    I'm almost positive it's an issue with change of Let's Encrypt over to the ISRG certificate.  Every site that was reported blocked that I've reviewed is using a Let's Encrypt certificate.  I've got a case open and I'm waiting on a fix.  In the meantime, I've done the only thing I can by allowing expired certificates so people can continue to work.  Let's Encrypt is too commonly used to simply block any site using them.
    #9
    Scott Seifel
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/08/23 17:49:13
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 11:29:56 (permalink)
    0
    It appears FortiOS 6.4.x is immune to this situation as only our clients with firewalls running FortiOS 6.2 and earlier are affected.  Are any of you seeing the same pattern?
     
    We are going with the allow invalid certs option until Fortinet addresses the issue.
    #10
    kaiseal1
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/09/30 11:36:12
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 11:37:46 (permalink)
    0
    No, can't confirm. We face the same problem on 6.4.6/6.4.7
    #11
    jm75
    New Member
    • Total Posts : 13
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/25 12:51:20
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 11:38:08 (permalink)
    0
    Hello,
    No, I have the problem with v6.4.7 build1911 (GA) firmware.
    "SSL/SSH Inspection" profile allowing invalid certificates, it works. Allow invalid certificates, this is probably only possible for a limited number of sites
     
    J.
    #12
    Brimstar
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/09/30 08:42:59
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 11:43:16 (permalink)
    0
    Per discussion I had with support, if you're on 6.4.x flow-based rules (rather than proxy-based) should work.  We unfortunately use proxy-based inspection on our ruleset.
    #13
    magzzzs
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/01/08 05:05:36
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 11:52:13 (permalink)
    0
    Same problem here. I had firmware 6.4.6 but upgraded to 6.4.7  build1911 (GA), but the problem is still there ...
    I guess we have no other option than to allow invalid certificates, but I don't like it.
    Would like to get a recommendation from Fortinet...
    #14
    evertjanP
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2016/02/11 00:59:25
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 12:26:53 (permalink)
    0
    I run 7.0.2 and have the same issues. According to Fortinet support, changing the policy inspection mode from proxy to flow is a workaround.
    https://kb.fortinet.com/k....do?externalID=FD49028
    #15
    mike_dp
    Silver Member
    • Total Posts : 68
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/02/22 12:26:22
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 12:30:45 (permalink)
    0
    I don't think any Fortigate FW can be immune to this since it's a root cert expiring. We are affected as well for alll the policies on proxy mode on 6.4.6. We changed some to flow mode for a quick fix.
     
    Does anyone know if Fortinet will release an "official" solution soon?

    Fortigate : 80E, 80F, 100E, 200F, 300E : 6.4.6
    FortiAnalyzer, ForticlientEMS
    #16
    phanman
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/01/07 10:58:40
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 13:22:38 (permalink)
    0
    We are on 6.4.7.  All policies, web filters are already on flow mode.  The only temporary fix is to modify our deep inspection profile to allow expired certificates.   
     

    Attached Image(s)

    #17
    mike_dp
    Silver Member
    • Total Posts : 68
    • Scores: 2
    • Reward points: 0
    • Joined: 2016/02/22 12:26:22
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/09/30 13:46:40 (permalink)
    0
    I chatted with the support and they told me they will release something via Fortiguard but they have no clue when (I guess in the next few hours since it affects lots of clients). Our Fortinet rep said it affects proxy mode because that expired cert is cached.

    Fortigate : 80E, 80F, 100E, 200F, 300E : 6.4.6
    FortiAnalyzer, ForticlientEMS
    #18
    nguyenbakhanh
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/10/02 01:35:56
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/10/02 01:38:30 (permalink)
    0
    mike_dp
    I chatted with the support and they told me they will release something via Fortiguard but they have no clue when (I guess in the next few hours since it affects lots of clients). Our Fortinet rep said it affects proxy mode because that expired cert is cached.


    mike_dp
    I chatted with the support and they told me they will release something via Fortiguard but they have no clue when (I guess in the next few hours since it affects lots of clients). Our Fortinet rep said it affects proxy mode because that expired cert is cached.



    FIX WIN 7: this site's security certificate is not trusted https://youtu.be/0e42USqE-CM
    #19
    it service
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/10/01 16:21:52
    • Status: offline
    Re: WCF SSL Certificate Errors 2021/10/02 01:48:51 (permalink)
    0
    Issue on 6.4.5 temporarily resolved by following workaround:

    1: verify cert bundle is v28

    -> diag autoupdate versions
    -> execute update-now

    2: apply DNS blackhole workaround:

    -> config system dns-database
    -> edit "1"
    -> set domain "identrust.com"
    -> config dns-entry
    -> edit 1
    -> set hostname "apps"
    -> set ip 127.0.0.1
    -> next
    -> end

    3a: flow-mode:

    -> diag ips share clear cert_verify_cache

    3b: proxy-mode:

    ->:diag test app wad 99



    #20
    Jump to:
    © 2021 APG vNext Commercial Version 5.5