Home > Networking > Troubleshooting > Fixing Certificate Errors for Web browsing via FortiGate Explicit Proxy

Fixing Certificate Errors for Web browsing via FortiGate Explicit Proxy

By /

An issue where users accessing certain websites through a FortiGate explicit proxy (with the FortiGate CA certificate imported into client browsers) encounter certificate errors. The FortiGate logs show: “Re-signed server certificate as untrusted due to security problem.” After digging deeper, I found the root cause: the affected websites’ servers are missing intermediate certificates, causing the certificate chain to be incomplete and untrusted by browsers.Issue Details:

  • The web server hosting the problematic website doesn’t include the intermediate certificate in its certificate chain.
  • When the FortiGate proxy re-signs the server’s certificate for inspection, the incomplete chain causes browsers to display a certificate error.

Solution: To fix this, the website’s server (not the FortiGate proxy) needs to include the intermediate certificate to complete the chain to a trusted root. If the website uses a Sectigo (InstantSSL) certificate, follow these steps:

  1. Verify the Issue: Check the website’s certificate chain using a browser or an SSL checker tool (e.g., https://www.sslchopper.com/ssl-checker.html/) to confirm the missing intermediate certificate.
  2. Install the Intermediate Certificate: On the web server, follow Sectigo’s Certificate Installation Instructions for your platform (Apache, Nginx, IIS, etc.): Sectigo Certificate Installation Instructions.
    • Focus on the section about adding the intermediate/chain certificate.
  3. Update Server Configuration: Ensure the web server presents the full certificate chain (server certificate + intermediate certificate).
  4. Test the Website: Access the website through the FortiGate proxy again to verify the certificate error is resolved.

Please find a normal cert chain below:

Additional Tips:

  • If you manage the web server, ensure the intermediate certificate is properly installed.
  • For FortiGate admins, confirm the proxy’s CA certificate is correctly imported into client browsers’ trusted root stores.
  • If you don’t control the website, notify the website administrator about the missing intermediate certificate.

#FortiGate #SSL #CertificateError #Sectigo #NetworkSecurity

Related posts:

  1. FortiADC Auto Backup Failure to SFTP Server – A Fix in Firmware V7.6.1
  2. The Curious Case of “Deny” Logs in Palo Alto SSL Decryption: A Troubleshooting Journey
  3. Configuring Fortinet Firewall Outbound Management: Cisco Mgmt VRF Equivalent
  4. IPsec VPN Instability on Palo Alto PA-820: A Multi-Site Mystery
  5. What you should know about ipsec vpn?
  6. Top 25 wireshark filter
  7. How it works of DPD (Dead peer detection) in ipsec VPN and Troubleshooting
  8. FortiGate Proxy Chain Issue with FQDN Resolution (FortiOS 7.4.7)

Powered by YARPP.

Leave a Comment