TT-CSIRT-398.05.10.21: TTCSIRT ADVISORY – Fortinet and Expiring Let’s Encrypt Certificates
Please be advised, with the current issue of certain sites being presented with an invalid or expires SSL Certificate when attempting to gain access, Fortinet was made aware by customers in the early hours of September 30th that TLS connections to web sites using Let’s Encrypt certificates were failing. Our first response was to validate the certificate chain. We discovered that the root CA for Let’s Trust certificates, IdenTrust DST Root CA X3, had expired at 00:00 UTC on September 30th.
The issue being seen by Fortinet customers is due to Fortinet devices validating the full chain of trust and then invalidating the chain when it sees that the CA IdenTrust DST Root CA X3 is expired, even though the cross-signed ISRG Root X1 root is valid for longer.
For sites under your own control, changing your server certificate to using the alternative chain will remove this issue, except for pre-7.1.1 Android devices, as described above.
Workaround 1 – Prevent fallback to the expired Root CA
With the removal of the expired IdenTrust DST Root CA X3 in Certificate Bundle version 1.28, it is possible to prevent fallback to the expired root CA by blocking FortiGate access to apps.identrust.com, resulting in the correct root CA being used. This can be achieved by using either DNS blackholing or via an FQDN policy to block access to apps.identrust.com.
This will force the FortiGate device to rebuild the certificate chain and find the ISRC Root X1 Root CA Cert in the local certificate in the store.
config system dns-database
set domain “identrust.com”
set hostname “apps”
set ip 127.0.0.1
Workaround 2 – Accept the expired certificates
For third-party sites outside of your control, customers can turn off this certificate expiration validation using the following CLI as a temporary workaround:
config firewall ssl-ssh-profile
set expired-server-cert allow
set untrusted-server-cert allow
Disclaimer: By applying this workaround, you understand that end users connecting to webservers affected by invalid/expired certificates may have reduced protections typically afforded through the certificate chain. HTTPS connections matching the firewall policy with this SSL/SSH inspection profile may not be blocked when FortiGate sees invalid/expired certificates in the TLS Server Hello coming from the webserver. End users may see certificate warnings reported by the browser and it is the end user’s responsibility to decide to connect to the website that is providing the expired certificate and accept the risk that may be associated with the expired certificate.
TT-CSIRT advises to read and consider the disclaimer provided by Fortinet. Opening up to invalid and expired certificates widens the risk and attack vector for greater exposure to your network parameter.