Err_cert_authority_invalid

Hello,

As I mentioned in this post we import our certificates and intermediate certificates into fortiweb. Since the intermediate certificate we are currently using will expire on September 29, 2021, I uploaded another one (this one) but when I use it, the message bellow is shown for some users :

Your connection is not private
Attackers might be trying to steal your information from..... etc
ERR_CERT_AUTHORITY_INVALID

knowing that the CA certificate that we are currently using in Fortiweb is:

CA_cert722×40 1.85 KB

I guess I need to upload the new CA certificate as well, right?
Can you please give me the right URL to download the new CA cert

NB: Whynopadlock doesn't show any error
Because of this problem, I am obliged to use the old intermediate certificate but it will expire on September 29
below, the intermediate certificates that are in fortiweb, the one selected is the one we are currently using:

Intermediate_certs1121×113 18.4 KB

Can you please help me.

I thank you in advance

How are they using it? (which browser, etc.)
Can you show a URL that trips this message?

and:

What's the difference between those two? I.e., where are you using the R3 intermediate and what is the function of the "CA certificate" in Fortiweb?

Also, please share the hostname of the site you're having trouble with.

And as also mentioned in your previous thread: you should NOT hard-code any intermediate EVER but let the ACME client handle the intermediate certificates gracefully without any manual tampering.

This is Let's Encrypt Authority X3, which has been retired in December 2020. Even if there's a version of X3 that is not yet expired*, all certificates are currently signed with a different keypair - making this intermediate certificate completly invalid.

As already stated by Osiris, you should not manage intermediate certificates manually.

*X3 signed by DST Root CA X3 has already expired in March this year, but X3 signed by ISRG Root X1 will expire on 2021-10-06 - however this deadline is not important, given that the intermediate has already become obsolete.

Also, in your first screenshot it reads CA_Cert_1, but later all entries show Inter_Cert_*. In the latter screenshot, no X3 is present - only R3 (which is correct). I don't see how they correlate.

below, a screenshot of what is displayed for me in chrome, sorry it's in french but the error is in english. other users log in with their phones, i don't know exactly which browser they are using.
Our domain is: elearning.univ-bejaia.dz

ERR_Cert_Authority_Invalid1920×1080 111 KB

I never hard-code any intermediate, I neither have the need nor the skills to do this
As I mentioned in my old post, to set up the https for our site, we had to import into fortiweb the certificate of the certification authority, the intermediate certificate, the server certificate and the private key. So I just followed the instructions I found in the Fortiweb documentation

When we use the Inter_cert2, le site works fine but when we use the Inter_cert3 the error is shown for some users.
Currently we use the Inter_cert2 but It will expire on septembre, 29
What does the error below means exactly ?
ERR_CERT_AUTHORITY_INVALID

It seems that Inter_cert3 is the one to use.
If there are some users that are having trouble with it, it is likely a problem with that users' trust store.
[likely missing the ISRG Root X1 cert]

Maybe you can switch to it and let us test it out from here (then switch back).

I am using the Inter_cert3 now can you please test it
Thank you

Done.
Everything is right with Inter_cert3.
The problems experienced with the clients must be within the client systems.

I still have the same problem with chrome but not with firefox

Chrome1920×1080 49.5 KB

Firefox1920×1080 96 KB

Can you please access to our site with google chrome and tell me if it's ok
https://elearning.univ-bejaia.dz/

I just tried it with Opera and Edge on my PC and Chrome on my Samsung mobile (sorry, no Chrome on my PC). All saw your site fine. It is now 11:56 UTC

Your site is not sending any intermediate certificate. It is just sending the leaf certificate:

# openssl s_client -connect elearning.univ-bejaia.dz:443
CONNECTED(00000184)
depth=0 CN = elearning.univ-bejaia.dz
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = elearning.univ-bejaia.dz
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = elearning.univ-bejaia.dz
verify return:1
---
Certificate chain
 0 s:CN = elearning.univ-bejaia.dz
   i:C = US, O = Let's Encrypt, CN = R3
---

This also explains while it works on some systems while it doesn't work with others. Clients that have R3 cached (or can load it externally) will have no problems connecting to your site, other clients will show validation errors.

Your site should actually be serving two intermediates (R3 signed by ISRG Root X1 and ISRG Root X1 signed by DST Root CA X3), but I'm still not understanding why you're trying to configure intermediate certificates manually. Nothing in the guides I've found about FortiWeb (1, 2) implies that this is necessary.

Hello,
Thank you very much for your help, indeed, I only imported the R3 signed by ISRG Root X1. Now, I imported also the ISRG Root X1 signed by DST Root CA X3 so, the problem is solved, I mean it works with google chrome and the whynopadlock and ssl Labs sites dont show any errors.
But I will see if the users don't complain.
The links you provided me are very interesting but they concern the version 6.4 of fortiweb and above, unfortunately, the version that we have is much lower, it doesn't support the integration with Let’s Encrypt yet to automatiquely generate server's certificate. So, I am obliged to do it manualy.

Now I will answer your question, why do I have to manually manipulate intermediate certificates.
In 2017, I wanted to set up https for our site, so, I generated the certificate and I configured the apache virtual host to serve it but It deosn't work, when I test my site with whynopadlock site, it always detects the Fortiweb certificate rather than the let's encryp certificate (as you can see it here). By doing some research, I found in the Fortiweb documentation that it is necessary to import the CA's certificate and the server's certificate into fortiweb (you can doawload the fortiweb's administration guide here on page 295, 298 and 308), At that time, we had the version 5.3 of fortiweb, so, I imported into fortiweb cert.pem as well as privkey.pem. It is also written in the documentation that if the certificate is not signed by a root CA then, I must also import the intermediate certificate (ie: the certificate of let's encryp which is an intermediate certificate, page 310) finally. in the server policy I had to select the certificate of my server (cert.pem) and the intermediaries. Doing that, the https worked very wel. Below, the configuration of the server policy:

Currently, I import fullchain.pem and privkey.pem (I no longer use cert.pem). I said to myself the last thirsdays I should not import the intermediate certificates manualy since the fullchain.pem contains the server's certificate as wel as the intermediate certificates, so, I tryed to not use (not select) the Inter_group1 (wich contains the intermediaries) in the server policy but when I did that, the whynopadlock indicates that I have an invalid or missing intermediate certificate.
So,I had to select that group again in the server policy, knowing that the Inter_group1 group contains the R3 signed by ISRG Root X1 and the ISRG Root X1 signed by DST Root CA X3

Inter_cert1074×369 15.5 KB

Intermediate CA Group1117×280 30.2 KB

I will continue my research to find a solution not to manually import intermediate certificates with our current version of forti web, while waiting to update fortiweb to the version 6.4.0 that supports the integration with let's encrypt to automatiquely generate server's certificate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.