|
Since March 8, 2023, DigiCert has started updating the default public issuance of TLS/SSL certificates to the new public second-generation(G2) root and intermediate CA (ICA) certificate hierarchies.
The G1 root CA and intermediate CA currently being used will be distrusted by Mozilla on April 15, 2026.
This will interrupt FortiGate's connection with FortiGate Cloud (and FDN) in the future.
Issue symptoms:
- Web traffic will not pass through with Proxy-based polices.
- End users will see the firewall certificate has expired in the browser.
- The output of the CLI command 'diagnose debug rating' will show connections are not established.
- The following error may be seen in the wad debugs:
4031 continue the cert failure to get replace msg
To fix the issue, use the following commands:
fnsysctl killall fnbamd
diagnose test application wad 99
execute update-now
For more details regarding the certificate, see this DigiCert knowledge base article.
Additionally, consider putting the profile in the Flow mode to further verify it is working.
|
