Troubleshooting Tip: Unable to connect FortiClient EMS due to a server certificate
| Description | This article describes an issue where FortiGate is not able to connect with on-prem FortiClient EMS server and receives the following error message:
Failed to verify the certificate for server "EMS 1 - EMS". The server |
| Scope | FortiGate. |
| Solution | Error message in the GUI:
On CLI:
Diagnostics: Enable debugging in the firewall:
diagnose debug enable
To disable it:
diagnose debug reset
Debug output: obj-id: 0, desc: "REST API to get EMS Serial Number.", entry: "api/v1/system/serial_number".
This error occurs when the FortiClient EMS certificate fails validation against a remote Certificate Authority (CA). The initial troubleshooting step is to verify that all certificates in the trust chain, including intermediate and root certificates, are correctly installed on the FortiGate.
If custom certificates are used, the FortiGate must trust the entire certificate chain to authorize the FortiClient EMS server. If the root CA certificate has already been imported and the error persists, the most likely cause is that the intermediate CA certificate has not been correctly imported.
Verify the Server Certificate configured on FortiClient EMS to connect with FortiGate.
On FortiClient EMS:
Here, the custom Certificate is configured as a Webserver Certificate.Check the CA of the server Certificate. It can be validated as shown below:
Here, the Server Certificate is signed by EMS-CA. Make sure to install the CA certificate on FortiGate. On FortiGate: Go to System -> Certificates -> Create/Import -> CA Certificate and import the CA certificate:
Note: In case of using VDOMs, upload the certificate to the global VDOM besides the VDOM that the fabric connector is in.
Afterwards, FortiGate will be connected to the FortiClient EMS server. |
