SSL issue with Fortinet signed by DigiCert

Website, Application, Performance Security
1

We’re facing an SSL issue with Fortinet that’s restricting access to the subdomain lp.xxx.com, citing its DigiCert-signed SSL certificate as invalid. On the flip side, our main domain, xxx.com, is managed through Cloudways and employs Cloudflare Enterprise for its SSL services. Interestingly, when inspecting the subdomain’s SSL, it seems to share the same Cloudflare-provided SSL certificate as the main domain. A verification using https://lp.xxx.com/collagen indicates that the SSL certificate is indeed provided by Cloudflare. How can we rectify this conflict and resolve the problem?

WhatsApp Image 2023-09-07 at 12.47.06
WhatsApp Image 2023-09-07 at 12.47.06680×832 46.2 KB

WhatsApp Image 2023-09-07 at 12.19.28
WhatsApp Image 2023-09-07 at 12.19.28687×737 59.6 KB

Snap 2023-09-08 at 14.47.22
Snap 2023-09-08 at 14.47.221388×300 50.1 KB

Snap 2023-09-08 at 14.46.52
Snap 2023-09-08 at 14.46.52560×546 221 KB

4

That host appears to have no valid certificate

curl -Ikv https://lp.xxx.com/collagen
*   Trying 141.0.173.173:443...
* Connected to lp.xxx.com (141.0.173.173) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* LibreSSL/3.3.6: error:1404B438:SSL routines:ST_CONNECT:tlsv1 alert internal error
* Closing connection 0
curl: (35) LibreSSL/3.3.6: error:1404B438:SSL routines:ST_CONNECT:tlsv1 alert internal error
1 Like
5

Hi @cscharff
Thanks for your answer,

The url is not [Preformatted text](https://lp.xxx.com/collagen) it was an example

Warm Regards,
Johan

6

It is best to avoid using real domains that aren’t yours as examples. There are special reserved domains for that purpose.

IANA-managed Reserved Domains

You also increase your chance of getting useful answers when you can use the real domains since it will allow others to respond based on their observations.

1 Like
7

Sorry

The real domain and url is https://lp.elevationesingapore.com/collagen

8

The real domain and url is https://lp.elevationesingapore.com/collagen

9

The SSL cert is just fine. Since you’re using Fortinet as a MiTM to intercept SSL requests, you’ll need to determine with the vendor why it is throwing an error or disable interception for that hostname.

curl -Ikv https://lp.elevationesingapore.com/collagen
*   Trying 162.159.136.54:443...
* Connected to lp.elevationesingapore.com (162.159.136.54) port 443 (#0)
* ALPN: offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=lp.elevationesingapore.com
*  start date: Sep  3 00:00:00 2023 GMT
*  expire date: Sep  1 23:59:59 2024 GMT
*  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
*  SSL certificate verify ok.
* using HTTP/2
* h2 [:method: HEAD]
* h2 [:scheme: https]
* h2 [:authority: lp.elevationesingapore.com]
* h2 [:path: /collagen]
* h2 [user-agent: curl/8.1.2]
* h2 [accept: */*]
* Using Stream ID: 1 (easy handle 0x150010800)
> HEAD /collagen HTTP/2
> Host: lp.elevationesingapore.com
> User-Agent: curl/8.1.2
> Accept: */*
>
< HTTP/2 200
HTTP/2 200
< date: Sun, 10 Sep 2023 15:50:20 GMT
date: Sun, 10 Sep 2023 15:50:20 GMT
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< cf-ray: 8048d3774a168c15-EWR
cf-ray: 8048d3774a168c15-EWR
< cf-cache-status: DYNAMIC
cf-cache-status: DYNAMIC
< access-control-allow-origin: *
access-control-allow-origin: *
< vary: Accept-Encoding, Accept-Encoding
vary: Accept-Encoding, Accept-Encoding
< access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept
access-control-allow-headers: Origin, X-Requested-With, Content-Type, Accept
< access-control-allow-methods: *
access-control-allow-methods: *
< x-powered-by: Express
x-powered-by: Express
< set-cookie: __cf_bm=Frxnw6.lcnt1h6e0eMAywLjHOCZf37ZrTglZqjaioDA-1694361020-0-AYyduaLabJxKuIsfTkzSmZhvtS0rEkoC/wcelz1wmC6Nf3DLbgPJrSEm6JTTWUiSghRWmClpXloWvaJzHk5rWgY=; path=/; expires=Sun, 10-Sep-23 16:20:20 GMT; domain=.lp.elevationesingapore.com; HttpOnly; Secure; SameSite=None
set-cookie: __cf_bm=Frxnw6.lcnt1h6e0eMAywLjHOCZf37ZrTglZqjaioDA-1694361020-0-AYyduaLabJxKuIsfTkzSmZhvtS0rEkoC/wcelz1wmC6Nf3DLbgPJrSEm6JTTWUiSghRWmClpXloWvaJzHk5rWgY=; path=/; expires=Sun, 10-Sep-23 16:20:20 GMT; domain=.lp.elevationesingapore.com; HttpOnly; Secure; SameSite=None
< server: cloudflare
server: cloudflare
< alt-svc: h3=":443"; ma=86400
alt-svc: h3=":443"; ma=86400
1 Like
10

Thanks for you answer but how to disable interception for that hostname?

11

That’s also a question for the vendor. Not a product I’ve ever managed, but if it doesn’t have that capacity it’s probably worth just throwing it out.

2 Likes
12

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.