You have configured SSL deep inspection with your own PKi CA certificate.
Most of the time, it works as expected. The Fortigate automatically generates a certificate signed by your PKi CA certificate.
The client browser doesn't report any error.
Some time, the generated certificate is not signed by your PKi CA certificate but by the default Fortinet "Fortinet_CA_Untrusted" certificate. Of course, you have not deployed this CA certificate on your computers as it should not be used. So, you obtain a SSL error.
Why the Fortigate generates a certificate with the wrong CA? The destination certificate seems to be fine. No error reported on a browser of a computer without deep inspection.
Quick answer. The destination certificate is not trusted by the Fortigate because of missing intermediate certificates on the destination server.
To avoid this issue, you have to define your PKi CA certificate for untrusted certificate. It can be done only through Cli.
FORTIGATE # config firewall ssl-ssh-profile
FORTIGATE (ssl-ssh-profile) # edit "MyDeepInspectionProfile"
FORTIGATE (MyDeepInspectionProfile) # set untrusted-caname "MyPkiCA"
FORTIGATE (MyDeepInspectionProfile) # end
Replace "MyDeepInspectionProfile" by your custom deep inspection profile and "MyPkiCA" by your PKi CA Certificate name
When you add a domain in whitelist through Web UI, the website is still blocked.
Solution 1 - Use command line:
Remove the domain from Web UI and add it by using pihole command line
pi@raspberrypi:~ $ pihole -w weeta.net
[i] Adding weeta.net to whitelist...
[i] weeta.net does not exist in blacklist, no need to remove!
[i] weeta.net does not exist in wildcard blacklist, no need to remove!
[i] Using cached Event Horizon list...
[i] 121,709 unique domains trapped in the Event Horizon
[i] Number of whitelisted domains: 8
[i] Number of blacklisted domains: 7
[i] Number of wildcard blocked domains: 2
[✓] Parsing domains into hosts format
[✓] Cleaning up stray matter
[✓] Force-reloading DNS service
[✓] DNS service is running
[✓] Pi-hole blocking is Enabled
Solution 2 - Move to dev branch:
The problem has been resolved in development branch.
pi@raspberrypi:~ $ pihole checkout dev
Please note that changing branches severely alters your Pi-hole subsystems
Features that work on the master branch, may not on a development branch
This feature is NOT supported unless a Pi-hole developer explicitly asks!
Have you read and understood this? [y/N] y
[i] Shortcut "dev" detected - checking out development / devel branches...
[i] Pi-hole Core
[✓] Switching to branch: 'development' from 'refs/heads/master'
[i] The install log is located at: /etc/pihole/install.log
Add the domain in whitelist through Web UI.