On Mai 2021, Let’s Encrypt issued a note about the expiration of their DST Root CA X3:
Now that this root certificate has expired (2021-09-30), your systems might issue a warning when connecting to sites using Let’s Encrypt certificates.
To fix this glitch on a general client, follow the instructions of the link above:
- Ensure that the involved systems trust theISRG Root X1 CA
- If such systems depend on OpenSSL, ensure that they’re using at version 1.1.0 or later
This issue has since been fixed in FortiOS 6.2.10 and 6.4.8.
Fortinet has released an informative blog article with background information about this issue and an outlook for a longer-term solution.
FortiGates are reportetly affected by this issue, if the policies are running in proxy-based mode with any kind of certificate inspection or flow-based mode with deep inspection.
Fortinet currently recommends the following workaround (reffered as DNS blackholing):
Make a backup. At the top right > click your profile > Config > backup
# Manually trigger a definitions update execute update-now # Verify that at least the Certificate Bundle 1.28 got installed diagnose autoupdate versions | grep -A5 '^Cert' Certificate Bundle --------- Version: 1.00028 # Block access to apps.identrust.com by adding a DNS blackhole config system dns-database edit 0 set domain "identrust.com" set authoritative disable config dns-entry edit 0 set hostname "apps" set ip 127.0.0.1 next end next end # Note: Once apps.identrust.com stops sending the expired CA Certificate the above configuration can be removed. # Note: By setting "set authoritative disable" other FQDNs like commercial.ocsp.identrust.com can still be resolved. # Note: The IPS engine and WAD daemon may cache the previous certificate validation results. Check the commands in Fortinet KB above to clear their cache. # To troubleshoot the update daemon, use the following CLI commands: diag debug application updated -1 diag debug enable
With DNS blackholing in place, you can revert any of the previous workarounds:
1. Use flow-based web filtering. Note: the firewall policy will need to be in flow-mode as well for this to work. This workaround will not work if deep inspection is on.
2. Alternatively in the SSL Inspection Profile > Invalid Certificate > “Custom” and Allow “Expired Certificate” in the interim. (This should be used with caution).