Skip to main content
PardeepSingh
Staff
PardeepSingh
Staff
March 9, 2026

Technical Tip: Resolving an 'Invalid EAB HMAC string' error when entering a longer ACME EAB HMAC value

  • March 9, 2026
  • 0 replies
  • 402 views
Description This article describes an issue encountered while creating a certificate using ACME External Account Binding (EAB), where the error 'Invalid EAB HMAC string' is displayed after putting an acme-eab-key-hmac value of more than 66 bytes.
Scope

FortiOS v7.6.3 and later.
Solution

FortiOS supports ACME External Account Binding beginning in FortiOS v7.6.3, see ACME External Account Binding support. However, when attempting to create a new certificate, an error appears if an ACME EAB HMAC key longer than 64 bytes is entered. The system displays the message: 'Invalid EAB HMAC string. (Must be base64url encoded)'.

For example, the error displays when attempting to configure the following certificate with a 66-byte HMAC key.

 

config vpn certificate local

    edit "test-acme-zeroSSL"
        set enroll-protocol acme2
        set acme-ca-url "https://acme.zerossl.com/v2/DV90

        set acme-email test@fortinet.com

  set acme-eab-key-id "AAbbCCddEEffGGhhIIjj22"

  set acme-eab-key-hmac "aaaaaBBBBBCCCCCDDDDDEEEEEFFFFFGGGGGHHHHHIIIIIJJJJJKKKKKLLLLL123"

  Invalid EAB HMAC string. (Must be base64url encoded)

  node_check_object fail! for acme-eab-key-hmac

  aaaaaBBBBBCCCCCDDDDDEEEEEFFFFFGGGGGHHHHHIIIIIJJJJJKKKKKLLLLL123

  value parse error before 'aaaaaBBBBBCCCCCDDDDDEEEEEFFFFFGGGGGHH

  Command fail. Return code -651

 

This is an issue under investigation with ID 1251941, provisionally scheduled for fix in FortiOS v7.6.7.

 

Workaround:

Modify the configuration backup by manually adding the certificate to the configuration file and then restore the updated configuration to the FortiGate device.

 

Example:

After downloading the configuration, open the configuration file and locate the 'config vpn certificate local' section. Paste the complete certificate fields in that part of the configuration.

 

edit "test-acme-zeroSSL”

    set enroll-protocol acme2
    set acme-ca-url "https://acme.zerossl.com/v2/DV90" 
    set acme-domain "test.example.com"

    set acme-email "test@fortinet.com"
    set acme-eab-key-id "AAbbCCddEEffGGhhIIjj22"

    set acme-eab-key-hmac "aaaaaBBBBBCCCCCDDDDDEEEEEFFFFFGGGGGHHHHHIIIIIJJJJJKKKKKLLLLL123"

next

 

Save the modified configuration file using a different name and restore it to the FortiGate. Warning: this will trigger a device reboot and can cause configuration corruption if done incorrectly.

 

Related articles:
    Terms & ConditionsAccessibility statement