- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: problems with certificate inspection
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
website access problems
good afternoon colleagues, a question.
In the morning we had some problems with access to some pages that I could access normally.
In order to pass the certificate analysis I had to enter the rule and in the SSL INSPETION section change from certificate-inspection to no inspection until the page loads without problems and then return to certificate-inspection.
This problem has been occurring with other pages that were previously accessed.
the connection is not private
It is possible that attackers are trying to steal your information from xxxxx.com
(for example, passwords, messages or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID
It is worth mentioning that when you enter through another network, for example, a cellular data network or a home network, if you can access the page and the message "it is not secure" does not appear.
Do you know why this happens?
It is worth mentioning that the certificate of the page expires in 2024 so there should be no problem.
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
2 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The error message "NET::ERR_CERT_AUTHORITY_INVALID" typically occurs in web browsers like Google Chrome and Mozilla Firefox when there is an issue with the SSL/TLS certificate of a website.
When the browser encounters an invalid certificate authority, it means that the SSL/TLS certificate presented by the website cannot be verified with a trusted certificate authority. There are a few common reasons why this error might occur:
1) Expired or Invalid Certificate: The SSL/TLS certificate may have expired or is otherwise considered invalid by the browser.
2) Self-Signed Certificate: The website is using a self-signed certificate instead of one issued by a recognized certificate authority. Self-signed certificates are not trusted by default in most browsers.
3) Mismatched Domain: The certificate is issued for a different domain or subdomain than the one you are trying to access, causing a domain mismatch.
4) Misconfigured Certificate Chain: The certificate chain provided by the server is incomplete or not properly configured.
5) Untrusted Certificate Authority: The certificate authority that issued the certificate is not recognized or trusted by the browser.
6) Root Certificate Updates: Sometimes, a user's browser may need updates to its root certificate store, which contains the list of trusted certificate authorities.
So, please confirm by installing the certificate on the client machine and allowing it to trust it initially, this will clarify you to narrow down the issue.
Regards,
Kruthi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
When FortiGate cannot successfully authenticate the server certificate (i.e. untrusted root CA, expired, self-signed certificate) it will present the CA certificate configured via set untrusted-caname in the SSL inspection profile (default CA certificate name: Fortinet_CA_Untrusted).
In some cases, HTTPS websites using server certificates issued by Entrust will encounter an untrusted root CA warning because the specified Entrust root CA certificate in the server certificate's chain of trust is not in FortiGate's Trusted CA list (see Security Profiles -> SSL/SSH Inspection -> View Trusted CAs List on FGT).
The issue is that the HTTP site's server certificate was issued by an intermediate CA associated with a specific Entrust root CA certificate that has been deemed invalid because of an invalid certificate property. Since this Entrust root CA certificate is invalid, it's not trusted by all browsers.
This issue can be confirmed by using the URL of the affected HTTPS site with an online SSL checker website like SSL Labs' SSL Server Test (https://www.ssllabs.com/ssltest/) or SSL Shopper's SSL Checker (https://www.sslshopper.com/ssl-checker.html), and observing the checker's result that the certificate chain is incomplete or the certificate is not trusted in all browsers.
Regards
Priyanka
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please try to install the certificate on local machine in browser under trusted root certificate and check it.
Regards,
kunal
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
but why? If the certificate of those pages expires in one year, there are also several users who have the problem
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
The error message "NET::ERR_CERT_AUTHORITY_INVALID" typically occurs in web browsers like Google Chrome and Mozilla Firefox when there is an issue with the SSL/TLS certificate of a website.
When the browser encounters an invalid certificate authority, it means that the SSL/TLS certificate presented by the website cannot be verified with a trusted certificate authority. There are a few common reasons why this error might occur:
1) Expired or Invalid Certificate: The SSL/TLS certificate may have expired or is otherwise considered invalid by the browser.
2) Self-Signed Certificate: The website is using a self-signed certificate instead of one issued by a recognized certificate authority. Self-signed certificates are not trusted by default in most browsers.
3) Mismatched Domain: The certificate is issued for a different domain or subdomain than the one you are trying to access, causing a domain mismatch.
4) Misconfigured Certificate Chain: The certificate chain provided by the server is incomplete or not properly configured.
5) Untrusted Certificate Authority: The certificate authority that issued the certificate is not recognized or trusted by the browser.
6) Root Certificate Updates: Sometimes, a user's browser may need updates to its root certificate store, which contains the list of trusted certificate authorities.
So, please confirm by installing the certificate on the client machine and allowing it to trust it initially, this will clarify you to narrow down the issue.
Regards,
Kruthi
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, thanks for answering. Excuse me and how do I get the certificate? Does the owner of the page have to give it to me?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Certificate Inspection should not break any SSL connections. The Fortigate only inspects the SNI on the Client Hello or the Server Certificate when Certificate Inspection is used. It does not attempt a MitM.
Could you post the output of the CLI commands, "config firewall ssl-ssh-profile", "edit <your profile>", "show"?
This is the default certificate-inspection profile.
Along with the certificate profile please collect the wireshark from the test machine to check the issue.
Regards
Priyanka
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, the default profile is being used:
edit "certificate-inspection"
set comment "Read-only SSL handshake inspection profile."
config https
set ports 443
set status certificate-inspection
end
config ftps
set status disable
end
config imaps
set status disable
end
config pop3s
set status disable
end
config smtps
set status disable
end
config ssh
set ports 22
set status disable
end
config dot
set status disable
end
One question, what option is causing those messages to appear when you want to access those pages? I would like to disable that option without having to change the certificate-inspection profile
the connection is not private
It is possible that attackers are trying to steal your information from xxxxx.com
(for example, passwords, messages or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On your SSL inspection profile, under Trusted CA list, do you see the CA for the specific certificate in question? If not, that is the most possible reason for this error.
Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
then if the CA of the certificate is not in that list of the certificate-inspection profile. What option should I disable in that profile so that when trying to access those pages those messages no longer appear?
the connection is not private
It is possible that attackers are trying to steal your information from xxxxx.com
(for example, passwords, messages or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
maybe this helps to understand certificates better:
in very short: certificates are supposed to come in a chain. The webserver has a server certificate, which is signed by a CA (CERT_AUTHORITY) certificate and that is usually signed by another CA.
The webserver is supposed to send the webserver certificate and the CA certificates that signed that webserver certificate.
The client, your browser is supposed to receive the certificates and build the chain complete -
server > signing CA (intermediate CA) > signing CA (root CA)
If that fails because the server only sends the server certificate and nothing else, the client may be unable to complete the chain. The error is presented: NET::ERR_CERT_AUTHORITY_INVALID
The "server" certificate is coming from a webserver which is either
- the actual webserver, like https://www.fortinet.com
OR
- if your FortiGate is using SSL deep inspection on that same firewall policy, then the FortiGate has to play being the webserver instead, creating its own chain.
The same chain principle applies and every SSL client, needs to be able to complete the certificate chain. If FortiGate is doing deep inspection you need to download its CA certificate (see the respective DPI profile) and install it on the client. If FortiGate is NOT doing deep inspection, then you need to contact the webserver administrator. That is not to give you the certificate, but to fix the webserver.
Any(!) public webserver is supposed to send certificates as per description above. There might be special cases, but the administrator would have instructed you then for sure.
Best regards,
Markus
Related Posts
- IPsec phase1 negotiation failes due to... 137 Views
- Limited Network 225 Views
- sd-wan issue 187 Views
- free vpn client certificate problems 362 Views
- Two different websites (domains) on two... 160 Views
Labels
-
FortiGate
6,652 -
FortiClient
1,326 -
5.2
801 -
5.4
639 -
FortiManager
576 -
FortiAnalyzer
420 -
6.0
416 -
5.6
362 -
FortiSwitch
341 -
FortiAP
339 -
FortiClient EMS
270 -
FortiMail
252 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
158 -
6.4
128 -
FortiNAC
109 -
FortiGuard
106 -
FortiSIEM
91 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
76 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
65 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
29 -
Firewall policy
29 -
SD-WAN
29 -
FortiConnect
24 -
High Availability
23 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
19 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
Interface
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
Logging
12 -
LDAP
11 -
VDOM
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
fortilink
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.