Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spoojary
Staff
Staff

Created on ‎09-25-2023 05:48 AM

Article Id 275737

Technical Tip: FortiGate certificate error when 'diag debug config-error-log ' is run

Description This article describes when the command 'diag debug config-error-log read' is run, multiple errors are received, and how the issue can be solved.
Scope FortiGate.
Solution

On the CLI  run the following command and sometimes it gives the following error after the upgrade of the firewall:

 

diag debug config-error-log read


Error: 

 

"next" @ 7197:vpn.certificate.local.Fortinet_CA_SSL:failed command (error 1)
"next" @ 7318:vpn.certificate.local.Fortinet_SSL:failed command (error 1)
"next" @ 7456:vpn.certificate.local.Fortinet_SSL_RSA1024:failed command (error 1)
"next" @ 7516:vpn.certificate.local.Fortinet_SSL_RSA2048:failed command (error 1)
"next" @ 7611:vpn.certificate.local.Fortinet_SSL_RSA4096:failed command (error 1)
"next" @ 7651:vpn.certificate.local.Fortinet_SSL_DSA1024:failed command (error 1)
"next" @ 7706:vpn.certificate.local.Fortinet_SSL_DSA2048:failed command (error 1)
"next" @ 7735:vpn.certificate.local.Fortinet_SSL_ECDSA256:failed command (error 1)
"next" @ 7766:vpn.certificate.local.Fortinet_SSL_ECDSA384:failed command (error 1)
"next" @ 7800:vpn.certificate.local.Fortinet_SSL_ECDSA521:failed command (error 1)
"next" @ 7826:vpn.certificate.local.Fortinet_SSL_ED25519:failed command (error 1)
"next" @ 7854:vpn.certificate.local.Fortinet_SSL_ED448:failed command (error 1)
"config" "switch-controller" "dsl" "policy" @ 10984:command parse error (error -61)

 

Symptoms:

Running the command 'diag debug config-error-log read' returns multiple certificate-related errors.
These errors pertain to overwriting embedded hardware factory certificates.

 

Solution:

  1. Diagnosis Steps:

    • Check the FortiGate version.
    • Determine if the errors appeared post-configuration or after a firmware upgrade.

  2. Resolution:

    The command triggering the errors seems to be 'default-ssl-key-certs'. To reset the values and correct any error that occurred during the upgrade, follow these steps:

    1. Login to the FortiGate CLI.

    2. Execute the following commands in sequence: 

execute vpn certificate local generate default-ssl-ca
execute vpn certificate local generate default-ssl-ca-untrusted
execute vpn certificate local generate default-ssl-key-certs
execute vpn certificate local generate default-ssl-serv-key

 

    1. Confirm the execution of each command as prompted.

    2. Reboot the FortiGate device.

 

  1. Additional Recommendations:

    If still encountering issues, consider performing a reformat and clean install to check whether the same error messages persist.
4636
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.