Description

This article explains one of the reasons why the EMS Security Fabric connector may be down after EMS Server upgrade to versions 7.0.8 or 7.2.1.
FortiClient EMS Fabric Connector may report Certificate status 'Not Authorized' and Connection status as 'Unknown errors'.

When attempting to authorize it, an error message 'Failed to verify the certificate for server' as below may be seen.

 
From the CLI console, an unknown error may be reported as below when attempting to verify/authorize the connector.

FortiGate-500D # execute fctems verify <ems name or ems ID>
failure in certificate configuration/verification: -2
Could not verify EMS. Error 1--108-56-0 in get SN call: Unknown error..

Scope

FortiGate with BIOS version older than 05000004, FortiClient EMS Server versions 7.0.8+ or 7.2.1+.

Solution

Regardless of Cloud or OnPrem instances, starting with EMS Server v7.0.8 and v7.2.1, FortiGate with BIOS version older than 05000004 will fail to be authorized in the EMS Server.

The reason is that the EMS server now will only accept certificates signed with at least the SHA2 algorithm, and the FortiGate certificate 'Fortinet_Factory' is signed with the SHA1 algorithm in older devices which may have older BIOS versions installed.

The following is an example of the command 'get system status' that can be used to retrieve the BIOS version from FortiGate.

FortiGate-500D # get system status | grep BIOS
BIOS version: 04000003

Considering the risk of the device being unable to boot if a BIOS upgrade process fails, the solution is to proceed with the replacement of the FortiGate through the RMA process.