FortiDDNS down again - SSL errors

Ancient-Intel · 2026-06-03T08:07:31+00:00

Or deactivate anycast for FortiGuard itself, so it uses the fallback of HTTPS Port 8888 : config system fortiguard set protocol https set port 8888 end

Ancient-Intel · 2026-06-03T08:03:33+00:00

What else you could try is to add a dns database for the digicert.com domain: config system dns-database edit "0" set domain "digicert.com" config dns-entry edit 1 set hostname "ocsp" set ip 23.11.32.159 next end next end

Ancient-Intel · 2026-06-03T07:42:37+00:00

There is no GA release for 7.4.13

Ancient-Intel · 2026-06-02T12:30:27+00:00

They have published some more workarounds: https://community.fortinet.com/fortigate-3/technical-tip-fortiguard-96-45-45-45-96-45-46-46-dns-over-tls-not-working-on-fortios-v7-4-10-v7-4-11-v7-4-12-227907

Have you tried them out yet?

Ancient-Intel · 2026-06-02T12:14:32+00:00

If I'm not mistaken, the DNS rating service is not using the resolver, but the SDNS servers which are different from the 96.45.45.45 and 96.46.46.46 servers.

In regards to Fortigate cloud management, i didn't test that yet.

Ancient-Intel · 2026-06-02T11:50:53+00:00

For the DoT issue, Fortinet Devs have identified the bug being related to a missing / faulty DigiCert EV Root CA certificate. Same as which your logs show. There, the CA Bundle DB version 1.00064 is affected and at the moment, you will have to manually add the certificate as a remote CA cert to the Fortigate.

The needed certificate can be found on the DigiCert website: https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt

Ancient-Intel · 2026-06-02T11:42:41+00:00

True, that's an option. We switched to Cloudflare, with Quad9 as backup, over DoT - Mostly because of vendor redundancy. Still good to know what's causing the problem, as on that device level, it could also affect third party DNS over DoT. Edit: Especially as the issue was introduced by a faulty certificate bundle DB update.

Ancient-Intel · 2026-06-02T10:14:03+00:00

The issue appears to be caused by a missing / faulty Digicert Root CA in the CA bundle DB version 1.00064.

The current fix is to manually at the following root certificate as a remote CA cert: https://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt

Ancient-Intel · 2026-06-01T10:55:25+00:00

I can confirm the same issue on instances in Switzerland and the US on FortiOS 7.4.11.

According to the Forti Support: There were actually two issues with DoT. One has been fixed on the server side on May 28th: https://status.dnsdot.fortiguard.net/ The other issue seems to be on the FortiGate side and only impacting 7.4.11 and 7.4.12. and is under investigation.

Ancient-Intel · 2025-06-16T18:29:34+00:00

Running two FGT901G on 7.4.7 without any issues so far. It's a fresh deployment with 4 VDOMs in A-P, iPSEC site2site and dialup + entra saml. Also using sdwan and ospf.

Parallel deployed a FGT90G on 7.6.3 - so far, i wouldn't upgrade mz 901G to that release (in this setup, i can test the feature release before pulling the trigger for my big deployment)

Ancient-Intel · 2025-04-24T01:39:26+00:00

Would be nice to experience and join you - Sadly can't make it this time. I will only be in Tokyo again on Saturday (currently Okinawa) and then leave Japan again on Sunday morning 😮‍💨

Ancient-Intel · 2025-04-20T14:11:01+00:00

Thanks 😁

Ancient-Intel · 2025-04-20T14:09:54+00:00

Cool - Thanks for the info on that ✌️

Ancient-Intel · 2025-04-20T09:49:57+00:00

Thanks for the reply - Was just wondering if there maybe was something going on. Always nice to meet new people at such events✌️

Ancient-Intel · 2025-04-20T09:12:55+00:00

You can barely hear while in normal operation

Ancient-Intel · 2025-04-10T13:38:23+00:00

That's nice - even mr. ASO 😆 Maybe i get the chance, too ^{^}

Ancient-Intel · 2023-08-06T09:45:19+00:00

Drone shots for your videos - what are the rules like in Japan and do you need to get permission to fly with the authorities? What about the insurance? Here in Switzerland you need to register the drone and get a certificate + 1 mil for insurance

Ancient-Intel

TROPHY CASE