Certificate not trusted by Fortigate

My domain is: api.meine-sicht.com

My web server is (include version): Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Digital Ocean

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.2

Dear people,

at api.meine-sicht.com we use a Let's Encrypt certifiacte. Everything is fine in 99% of cases. But we have a big client now that uses a very strict Fortigate firewall, which doesn't allow our certificate.
I'm not a trained programmer and I can't figure out where the problem is.

There are some problems listed on the output from check-your-website: api.meine-sicht.com - Make your website better - DNS, redirects, mixed content, certificates but I don't know how and where to fix them. Help would be greatly appreciated.

Thanks
Bernd

PS. At this address the api returns something: https://api.meine-sicht.com/languages/1

1 Like

Did the client provide you with details about why it isn't allowed? Any error or warning messages? Your server configuration is fine, so figuring this out is going to involve getting details from whoever runs the firewall device.

6 Likes

the communication with the client is a little difficult.
Here are two screenshots from what he did send over:
Imgur
Imgur

I don't think this has anything to do with your certificate, and everything to do with the way the firewall classifies your domain name.

The CERT_AUTHORITY_INVALID just looks like Chrome is being man-in-the-middled by the Fortigate device, which would not be caused by your Let's Encrypt certificate.

If I had to guess, I'd say that they need to allow your domain name in their firewall, and wherever that Chrome browser is running, needs to have the Fortigate MITM certificate in its trust store via group policy or whatever. Or allow access to the domain without it being MITM'd. Your client will know more about that ...

10 Likes

Thank you. Something along those lines I suspected from the start. Thank you for the confirmation.

4 Likes

If people have the same problem. I found a solution that has nothing to do with the certifiacte.
Apparently Fortinet categorises every url out there. You can check that here: Fortinet URL Rating Submission
If your url is not in any category you can fill out a short form and then fortinet categorises it. Everything works fine now with our client

4 Likes