Problem:

A FortiClient EMS instance displayed a certificate error due to a mismatch between the server certificate and the previously configured EMS certificate. The issue arose after receiving a notification from Fortinet about a potential EMS connector service disruption because the certificate on FortiClient EMS was expiring.

Error Messages:

1. The connection test had an error -4: The server certificate does not match the previously configured EMS certificate.
2. Error in requesting EMS fabric connection: -9901 issue in getting capabilities.

diagnose endpoint fctems test-connectivity 1
Connection test had an error -4: Server certificate does not match previously configured EMS certificate.

Upon trying to unverify and verify in the CLI:

Unverify:

KMKC01ELIOTVPN01 # execute fctems unverify 1
FortiClient EMS certificate successfully unverified.

Verify:

KMKC01ELIOTVPN01 # execute fctems verify 1
Error in requesting EMS fabric connection: -9901
issue in getting capabilities. <
Error (-1@_perform_rest_api:238). (_get_capabilities,435)

Command fail. Return code -9999

Resolution:

1. Check under EMS settings to ensure the desired certificate is selected correctly: Go to FortiClient EMS -> System Settings -> EMS Settings -> Webserver Certificate and ensure that the desired certificate is selected.
   When using the default built-in FortiClient EMS certificate, ensure that the EMS S/N certificate is selected, instead of server.crt. The following screenshot shows an incorrect selection:

The correct selection is EMS-SN.crt:

2. Check the DNS Configuration: The original DNS servers were set to use FortiGuard. However, anycast was disabled in the FortiGuard settings.
3. Change the DNS Servers: Modify the DNS servers to Google's public DNS: 8.8.8.8 and 8.8.4.4.
4. Verify the FortiGuard Updates: Execute the command to verify the FortiGuard updates:

execute update-now

5. Confirm the Firmware & General Updates contract expiry date: Execute the following command to verify that the FortiClient EMS contract is valid:

diagnose test update info contract

6. Verify the EMS configuration: Execute the following command to verify the EMS configuration:

exec fctems verify 1

After execution, a certification chain is displayed. It is essential to review the details, including the issuer, the validity period, and other related certificate information.

7. Trust the Certificate: At the end of the verification process, the system will prompt to confirm if the displayed certificate should be added to the trusted remote certificates. Respond with Y to confirm and trust the certificate.
8. Verify Connection Status: After successfully configuring and verifying the certificate, the EMS connector should now display as 'Connected' and show a green status.

9. Disable Windows Defender: If the following error is received and the above steps are not working, disable Windows Defender on the Windows Server where the EMS server is installed.

execute fctems verify < EMS name >
SCBGSPFW1 # execute fctems verify 1
Error in requesting EMS fabric connection: -1
issue in getting capabilities. EMS server was not reached (timeout)
Error (-1@_get_capabilities:446).

Command fail. Return code -9999

diagnose endpoint fctems test-connectivity < EMS name >
diagnose endpoint fctems test-connectivity 1
Connection test had an error -1: EMS server was not reached (timeout)

10. If the EMS is not reachable, run the sniffer packet:

diagnose sniffer packet any " host < EMS IP address> " 4 0 l

Check whether the traffic is going through via the correct gateway or not. The route is not configured.

Create a static route for the correct G/w with the outgoing interface.

It will be reachable.

Notes:

• Always make sure to maintain a backup of the original configurations before making any changes.
• Regularly check for certificate expiry dates to prevent unexpected disruptions.
• It is advisable to keep track of notifications from Fortinet for any potential service disruptions or required updates.