Troubleshooting Tip: Devices showing offline with ‘Unknown CA’ error after FortiGate software upgrade

To resolve the issue of devices appearing offline with an 'Unknown CA' error after upgrading FortiGate software, the following options are available:

1. Delete and re-add devices in FortiAIOps: This action re-establishes the connection and resolves the issue.
2. Import the HTTPS CA certificate: Download the HTTPS CA certificate from the FortiGate and import it into FortiAIOps.

The previously mentioned options are documented in Troubleshooting Tip: How to troubleshoot an Unknown CA error for a managed FortiGate in FortiAIOps.

While the first two options are suitable for environments with a small number of devices, they may not be practical for larger deployments.

This article focuses on the recommended approach for scalable environments:

3. Deploy custom certificates across devices.

FortiAIOps and FortiGate certificate requirements:

Communication between the FortiAIOps application and FortiGate devices is secured using SSL/TLS encryption. As a result, FortiAIOps can successfully discover and manage a FortiGate only when a valid certificate is installed on the device.

To ensure successful discovery, the managed FortiGate IP address or FQDN configured in FortiAIOps must match the Subject Alternative Name (SAN) field in the FortiGate certificate. A mismatch will result in discovery failure.

If the SSL certificate fingerprint changes following an upgrade, or if the certificate is signed by an untrusted Certificate Authority (CA), the discovery process will fail and an 'Unknown CA' error will be displayed.

SAN configuration requirements:

• If the FortiGate is configured in FortiAIOps using its IP address, the SAN field in the certificate must include the FortiGate IP address.
• If the FortiGate certificate is configured using its FQDN, the SAN field must include the corresponding FQDN or use a wildcard FQDN (e.g., *.example.com covers fw1., branch1., vpn.example.com).
• If both the IP address and FQDN are used, the SAN field must include both values.

Best practice recommendation:

For large-scale environments, it is recommended to deploy a custom certificate (e.g., a wildcard certificate) across all FortiGate devices. This approach ensures certificate consistency and prevents issues related to certificate fingerprint changes following software upgrades.

Steps to use custom certificates:

1. Generate a custom certificate using either a public or private Certificate Authority (CA).
2. Deploy the custom certificate centrally to all FortiGate devices using FortiManager.
3. Upload the CA certificate to FortiAIOps:
   • Navigate to System -> CA Certificates -> Install CA Certificate.
4. Ensure that the device hostname is properly configured in the DNS server to allow name resolution.
5. Verify that FortiAIOps has a valid DNS server configured and can successfully resolve the device hostname:
   • Navigate to System -> Network Interface-> DNS.
6. Update the HTTPS server certificate on the FortiGate:

• Navigate to System-> Settings -> Administration Settings.
• Under HTTPS Server Certificate, select the newly installed certificate from the dropdown menu.

After authorizing the firewalls with the custom certificate, the devices should appear online and be successfully discovered.

Related articles:

• Technical Tip: How to deploy a certificate to multiple FortiGates in FortiManager using provisioning templates
• FortiAIOps 3.2.1 User Guide: Overview