TLS Certificate Issue #77
Description
There is an issue with the certificate provided by Let's Encrypt.
The certificate (IdentTrust DST Root CA X3) that they were originally using has expired. The solution for this problem is to use a new certificate, however, this new certificate would not work for many older clients that have not been updated. Lets Encrypt therefore decided to implement a little hack. They added another certificate that expires at a later point, this certificate is signed cross-origin and although it works for the older devices, all clients (or security systems) that check the entire certificate chain will still fail because the origin certificate has expired.
A more detailed explanation from Lets Encrypt can be found here.
A more detailed explanation from forticlient can be found here
An additional explanation on how the two certificate chains work can be found here
To see what certicate chain you are using: you can use this SSL checker
Fortigate suggested that they will fix this issue themselves in a future release. However, until now (one year later) this has not happened yet. Nevertheless, this can be handled at a later point.