Skip to main content
live89
live89
Explorer III
November 24, 2020
Question

SCEP certificate enrollment failed | VDOM

  • November 24, 2020
  • 2 replies
  • 4974 views

Has anyone faced issue with SCEP in FGT VDOM mode ?

 

I have two environments where I use SCEP

one environment has fortigate and fortiauthenticator , while the fortigate is not in vdom mode . And I use there SCEP for auto certificate enrollment and its working fine

 

another environment I have is where Fortigate is configured with multiple vdoms and in one vdom I'm trying to use SCEP along with fortiauthenticator and it is not working when I'm trying to use the internal IP of the fortiauthenticator as the SCEP server. But when I switch to the public IP of the fortiauthenticator it is working just fine ...

 

In 'config vpn certificate local" I tried to change this setting "set source-ip 0.0.0.0" to "set source-ip <lan interface ip addr>" , but got this error message:

node_check_object fail! for source-ip 172.26.137.33

 

how can solve this problem??

2 replies

AntonioMartins
AntonioMartins
Explorer
February 11, 2022

Hi,

Same problem here...

Did you figure out how to solve it?

Thanks

AM

Debbie_FTNT
Staff & Editor
Debbie_FTNT
Staff & Editor
February 11, 2022

Hey Antonio,

If you have the exact same issue as live89 (FortiAuthenticator doesn't renew certificates if the request comes in on an internal interface, but DOES if the request comes via its public interface) that sounds as if SCEP is not enabled on the particular FortiAuthenticator interface; I would suggest checking the interface details and seeing what services are enabled.

Richie_C
Staff
Richie_C
Staff
July 6, 2022

Hi 

 

I know that this is a bit late, but I have been building a multi-VDOM SCEP lab and found a few bits that maybe useful. With limited info about the setup I have made the following observations which may help.

 

  • The VDOM must be able to resolve the DNS if you are using a FAQDN for the scep request
  • The VDOM in question must be able to route to the FAC
  • you could route to the SCEP server via the management/root VDOM if you create an inter-vdom link and resolve the routing accordingly

Thanks

Rich

Terms & ConditionsAccessibility statement