Technical Tip: EMS connector issue after upgrading to v7.4.5, 'Certificate callback error -1: Error (-1@_check_verify_ems_ca:759' seen in debugs'

dkochhar · ‎11-28-2024

Description

This article describes why the status of an EMS connector shows as down for a downstream device in the security fabric after upgrading to 7.4.5.

Scope

FortiOS.

Solution

The status of the EMS connector shows as down in the GUI for a downstream FortiGate after upgrading to 7.4.5.

When running the following debug, 'Certificate callback error -1: Error (-1@_check_verify_ems_ca:759' will be seen:

dia deb reset

diagnose debug app fcnacd -1

diagnose debug enable

[ec_ems_context_submit_work:643] Call submitted successfully.
obj-id: 0, desc: REST API to get EMS Serial Number., entry: api/v1/system/serial_number.

[__worker_handle_certinfo:292] Certificate callback error -1: Error (-1@_check_verify_ems_ca:759). CMDB error: ems 7 (local.ems) has verifying CN but not CA CN. (_dup_and_check_server_cert_cn_ca,876) (_duplicate_and_check_server_certificate,960)Failed to handle server certificate CN and verifying CA.
[ec_ez_worker_process:400] Processing call for obj-id: 0, entry: "api/v1/system/serial_number"

The problem is caused because the downstream device does not have the CA cert saved in the config.

Workaround: Enable 'fabric-ca' on the root device under the certificate setting used for EMS connection:

config vpn certificate ca

edit <cert used for EMS>

set fabric-ca en

end

After enabling it on the root FortiGate, the certificate will be pushed to the downstream device and the EMS connector will come up.

Technical Tip: EMS connector issue after upgrading to v7.4.5, 'Certificate callback error -1: Error (-1@_check_verify_ems_ca:759' seen in debugs'

You are leaving our website