Technical Tip: EMS connector issue after upgrading to v7.4.5, 'Certificate callback error -1: Error (-1@_check_verify_ems_ca:759' seen in debugs'

The status of the EMS connector shows as down in the GUI for a downstream FortiGate after upgrading to 7.4.5.

When running the following debug, 'Certificate callback error -1: Error (-1@_check_verify_ems_ca:759' will be seen:

dia deb reset

diagnose debug app fcnacd -1

diagnose debug enable

[ec_ems_context_submit_work:643] Call submitted successfully.
    obj-id: 0, desc: REST API to get EMS Serial Number., entry: api/v1/system/serial_number.

[__worker_handle_certinfo:292] Certificate callback error -1: Error (-1@_check_verify_ems_ca:759). CMDB error: ems 7 (local.ems) has verifying CN but not CA CN. (_dup_and_check_server_cert_cn_ca,876) (_duplicate_and_check_server_certificate,960)Failed to handle server certificate CN and verifying CA.
[ec_ez_worker_process:400] Processing call for obj-id: 0, entry: "api/v1/system/serial_number"

The problem is caused because the downstream device does not have the CA cert saved in the config.

Workaround: Enable 'fabric-ca' on the root device under the certificate setting used for EMS connection:

config vpn certificate ca

    edit <cert used for EMS>

        set fabric-ca en

end

After enabling it on the root FortiGate, the certificate will be pushed to the downstream device and the EMS connector will come up.