Let’s Encrypt: Unexpected certificate warnings

On Mai 2021, Let’s Encrypt issued a note about the expiration of their DST Root CA X3:
https://letsencrypt.org/docs/dst-root-ca-x3-expiration-september-2021/

Now that this root certificate has expired (2021-09-30), your systems might issue a warning when connecting to sites using Let’s Encrypt certificates.

To fix this glitch on a general client, follow the instructions of the link above:

  • Ensure that the involved systems trust theISRG Root X1 CA
  • If such systems depend on OpenSSL, ensure that they’re using at version 1.1.0 or later

FortiGate

This issue has since been fixed in FortiOS 6.2.10 and 6.4.8.

Fortinet has released an informative blog article with background information about this issue and an outlook for a longer-term solution.

FortiGates are reportetly affected by this issue, if the policies are running in proxy-based mode with any kind of certificate inspection or flow-based mode with deep inspection.


Fortinet currently recommends the following workaround (reffered as DNS blackholing):
Make a backup. At the top right > click your profile > Config > backup

# Manually trigger a definitions update
execute update-now

# Verify that at least the Certificate Bundle 1.28 got installed
diagnose autoupdate versions | grep -A5 '^Cert'
Certificate Bundle
---------
Version: 1.00028

# Block access to apps.identrust.com by adding a DNS blackhole
config system dns-database
  edit 0
    set domain "identrust.com"
    set authoritative disable
    config dns-entry
      edit 0
        set hostname "apps"
        set ip 127.0.0.1
      next
    end
  next
end

# Note: Once apps.identrust.com stops sending the expired CA Certificate the above configuration can be removed.
# Note: By setting "set authoritative disable" other FQDNs like commercial.ocsp.identrust.com can still be resolved.
# Note: The IPS engine and WAD daemon may cache the previous certificate validation results. Check the commands in Fortinet KB above to clear their cache.


# To troubleshoot the update daemon, use the following CLI commands:
diag debug application updated -1
diag debug enable


With DNS blackholing in place, you can revert any of the previous workarounds:

1. Use flow-based web filtering. Note: the firewall policy will need to be in flow-mode as well for this to work. This workaround will not work if deep inspection is on.

2. Alternatively in the SSL Inspection Profile > Invalid Certificate > “Custom” and Allow “Expired Certificate” in the interim. (This should be used with caution).

Loading

Leave a Reply

Your email address will not be published. Required fields are marked *