Is it possible to change ssl issuer?

Hello.
I tried to create SSL certificate with certbot for my client. certificate was created successfully but browsers (Firefox and chrome) warns with message ERR_CERT_AUTHORITY_INVALID.

When I see Issuer name, it was "Issuer: Fortinet Untrusted CA" but on other servers that I created SSL cert, the issuer name was "let's encrypt".

I deleted certificate with certbot and I created ssl for my domain agian. but issuer name was "Fortinet Untrusted CA" again. can I change this?

thanks.

2 Likes

If you're issuing a certificate from Let's Encrypt, and seeing a certificate from Fortinet in your browser, then there's a Fortinet product on your network which is intercepting your connection and putting its certificate in the middle instead. So, your browser is rightly complaining, as your connection isn't secure since this Fortinet product is intercepting it.

Usually, this is on a corporate network, and they've set up their computers to trust this intercepting certificate (since it's their own computers, they can add a root certificate that they trust to the computers' trust stores, and this root is what creates intercepting certificates for all sites). This lets the company see all the traffic that's happening. If properly set up, it's not really "insecure", it just means that you're trusting the corporate infrastructure (a Fortinet device in this case) to check certificates instead of the end-devices, and of course the corporate infrastructure gets to see all the traffic (but if it's a corporate-owned device they could just have put spyware on the end-devices directly if they wanted to). Though whether your device or the corporate infrastructure is more likely to be set up right may be a disputed concept. :slight_smile:

So, I think you need to do more investigation, since if one of those devices is in use, and you're involved in setting up servers for the organization using it, then you'd probably already be aware of it. So it's possible it's somebody specifically attacking you and your connection, but more likely you need to just consult with whomever is running that Fortinet device if it's not doing what you're expecting.

6 Likes

Thanks a lot!
So, Should I contact with IT admin?

3 Likes

Well, if on most networks you see the certificate you made, but on some systems or networks you see this Fortinet certificate instead, and you don't understand why, then yes you should consult with the IT admin for those systems or networks.

4 Likes

No no
This is happened for only this server.

another question:
Is it difference between SSL certs that created with these commands?

  1. certbot certonly --nginx -d domain
  2. certbot certonly --standalone -d domain
1 Like

There is no difference between SSL Certs that are created with those two commands.

The only differences are in how Certbot gets the certificates, and what it does with them.

Using --standalone, Certbot runs it's own webserver to answer challenges, and just procures a Certificate onto the disk for you.

Using --nginx, Certbot will (i) try to answer challenges with your nginx server, and (ii) update your ngnix config to use the new Certificate.

There are often issues with the --nginx and --apache flags, and sometimes Certbot can only procure the Certificate -- but not install it. These issues are continually fixed/improved in new Certbot releases.

I'm saying all this, because it is possible that you obtained a certificate with Certbot, but did not sucessfully install it into your nginx, and are showing an old certificate.

It's more likely that you're dealing with a MITM enterprise software that is breaking SSL as @petercooperjr said above -- but it is possible that you got a certificate but did not install it correctly.

7 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.