Troubleshooting Tip: Cannot access GUI after upgrading firmware version and get 'Certificate file and private key file are mismatched' message with Fortinet_GUI_Server

caunon · ‎07-16-2024

Description

This article describes that sometimes, when upgrading the firmware version, it is not possible to access the GUI but it is possible to access SSH and console ports.' The certificate file and private key file are mismatched' error message appears.

Scope

FortiGate v7.x

Solution

This issue can be detected in the crashlogs if the following lines are seen:

FGT # diag debug crashlog read

4: 2024-07-19 19:44:26 <00211> Node.JS restarted: (uncaught exception)
5: 2024-07-19 19:44:26 <00211> Error: error:05800074:x509 certificate routines::key values mismatch

Run the CLI commands below to check and see that it shows the result of the 'Certificate file and private key file are mismatched' message following the details:

FGT # execute vpn certificate local verify Fortinet_GUI_Server

Certificate modulus:

Modulus=EAC9D54C00AC9DEC3363B93C707AD8D2891EA35471F4C034256DF71E6C53DA82AA28188FDB6DA8F520FA547C28A43E4C61ACE49EF40A424C675FC1FEFD3E0E49D58A62528472B8A5C475366EB9AC6E08A18CCB5197D80FB37CBEFB0BFEDEF418C622AD843A2BFB64A5AAA31C26E99178B8E23E22CC619032C30EC004EDFA4D999898F31195894058ED063B1670C13184EAFB44B60D748AE7C21E561436179CCF99E5872324BCF9DFF34121F06A501262BEF311280726D4A92B61D1B7150262BAA9F5C240E900184A95B330E5FFCD46E770D6AC4BAC52516731DC64D52397A0FF3E419684B4977BDAF9ED7D2EF7B1B38C45E04EBEA3ACFB131B543678CB24F5B16CB77720513ED28DFCC8C25D233E7CB09454AB96ABDB22F1E0EE64BE692B7A191BCB0F4CAC9D3D34A517EBDBF49F7354B87A12129CDBF3DD0C3A3F8C10EEBE8CA6A3A0BA938E1D943F9B189B123D05D1AFE5A989FBCFC0FB2A422EB1BA58D9373F2B9A2BA0DA9AE259FE4148946D47DD228B37C69B28F21EC18F1C60D98D945F5DDAB76F8CEA968609AF5F355F910F31F93BEE4E4B154E68DDFC4C5361FC1E4949F2C9DFEED0F5313554C6E6A8360169B2A5CB5C1B43C7D97DD72DE3156D3B08FD340DBDE13DBEC5058012AFD24B4494885F812B367B6FE0AC9CDC0FBCCD2EC91993EE7F64D1718B204332CA572F075EF6F1CEB20306AD115F69528E32735B83

File update time: 2024-07-15 19:45:59

Private key modulus:

Modulus=A9E59292A9B50A9C4E707EBEC598F29523E61FD140BE6298D6094DB1012B64CD2B2B8385CE49054402C9CA21D26EDFC1B76AC83AA813674E3E9D79BB1AF38DF8DC461FAD265E5361F171F3AB9250B805AB4FE537B32B7282268F235F0ABD65C965BC870C9180F0424CF3FD644635913385F33BF6D5F6C34536E7991E2B7829ADC7A1D52D695CD2A6F891F3BE1EEFAFC71D1EE32DBF6D7BD8AF51E843162A1260AC8D2C356336E5E54CDB70AD69D08419188A556EFAE9D992AD9388B092D4BB840DB853EDCAC375FC3A1AD16AD0EFD775482E5A8028506C3FA70CA3F1F6165CE5564F73D8E9100DCCE26B13E58AAC8655404D1C9368CF5B78FB022A3465EA21FB9259B1182AF679892323DE9D0B0585245E8A80C0BF530AD602D270CDFE0C1269782115861137996F33649ACC9B02A9BA97B4F25A8DE0A5ECF93487AAE2D3D75F9A1CF18040BFE6BA43747FC49E050E70276A5CC2916B3B1EF13FD0C64E82713020151F2419ACE2CBFDAA980EC89228D67DCD79C034916D54C225DCBC353B0448B4C0D0D1E9A386A0CFCA3D16DEFE357C4627B9BEAF2AE3A261299B5D9F51E005B61EDD541D7386309FD084E7AF7DA500AB7A8711CE126E75ADF31C00B0D2FE7AB3614348634D4088630EF06F766BAB33744AD7729663A29694B5E83EC18E71281515DCB9D981C6D9CCA890F6BB2B1EED62DA45775D192C35EA8C62E79F53DB05

File update time: 2024-07-15 19:45:59

Certificate file and private key file are mismatched.

FGT #

If it shows the result from the CLI commands above with 'Certificate file and private key file are mismatched', run the CLI commands below to fix the issue:

FGT # execute vpn certificate local generate default-gui-mgmt-cert

Are you sure to re-generate the default GUI admin-server certificate?

Do you want to continue? (y/n)y

Certificate generation started, Please check it in a while.

FGT #

Wait and run the CLI commands below to double-check the result again:

FGT # execute vpn certificate local verify Fortinet_GUI_Server

Certificate modulus:

Modulus=B158CB45EBE275BFE6CB8BE5BBC0815E640AD1086FF5BCCDA548211F7FBD7B3758214A7399A73608EF76AF770DC3828D967CBC4581ED0334E9E3CAC6536F2A59999C70CA65696C64F44B52DD12F780A7D04C1C44D9DC05C50828D9B6C14C702A63BA7E63A8AD999989B45A13FF5A3B21137CDAD1395567A689BFC739CF415E233B6ADA2F182E94051FE10EA4A7EC99355B6F54F04BCA7AF4A817D09EA37A9F8F4DED06FAD85B10F56CD658546E17F8A87E66DFAD2ACB81A2268176C1F3023B4296C3B63EAAD5B90F57EBA9C810EDA3BE9BA349169B2BCFE083D31DA93C76000D7DE7A6B3BC5F5517DE65F7926172D31BA7FA402D6167AA69D07CF57F20295CA16C10FE9D9D60F7B6277AFA161AB1CF46CCA73BD0B8C219ACB7A2B0BBCAE1B0D1B94DC9808E6F66BEC7ADEBAA8DB65A63659B6406722AE717B9F7240927A9F885A06AEBEA21D381BE7C0A8A79F0D57BD823AC1B0BD14DAA08901DABE44E7395ED8E04A12B8148B01ABC03C7388944530014EE45616A9F9A7DC8CD2F5D8B33ADC4C0A86BEDD1460315BA390C0500249A21E1C334229AAA21971B946D9D71D7BD557423AD6B949BD8551EC83442AD5D0D4BBD051ABFFF152CF5D732745898618C5A4D66F83FA21A5BB8A7FC487C4D7A5B08CDADA054ECD39A453D39F1E1A4C1D6AEFCB2310599D963A6270C6A2B8E56DBB9C0C9300AC308F7E9EBDF6902824FE6BF

File update time: 2024-07-16 19:19:45

Private key modulus:

Modulus=B158CB45EBE275BFE6CB8BE5BBC0815E640AD1086FF5BCCDA548211F7FBD7B3758214A7399A73608EF76AF770DC3828D967CBC4581ED0334E9E3CAC6536F2A59999C70CA65696C64F44B52DD12F780A7D04C1C44D9DC05C50828D9B6C14C702A63BA7E63A8AD999989B45A13FF5A3B21137CDAD1395567A689BFC739CF415E233B6ADA2F182E94051FE10EA4A7EC99355B6F54F04BCA7AF4A817D09EA37A9F8F4DED06FAD85B10F56CD658546E17F8A87E66DFAD2ACB81A2268176C1F3023B4296C3B63EAAD5B90F57EBA9C810EDA3BE9BA349169B2BCFE083D31DA93C76000D7DE7A6B3BC5F5517DE65F7926172D31BA7FA402D6167AA69D07CF57F20295CA16C10FE9D9D60F7B6277AFA161AB1CF46CCA73BD0B8C219ACB7A2B0BBCAE1B0D1B94DC9808E6F66BEC7ADEBAA8DB65A63659B6406722AE717B9F7240927A9F885A06AEBEA21D381BE7C0A8A79F0D57BD823AC1B0BD14DAA08901DABE44E7395ED8E04A12B8148B01ABC03C7388944530014EE45616A9F9A7DC8CD2F5D8B33ADC4C0A86BEDD1460315BA390C0500249A21E1C334229AAA21971B946D9D71D7BD557423AD6B949BD8551EC83442AD5D0D4BBD051ABFFF152CF5D732745898618C5A4D66F83FA21A5BB8A7FC487C4D7A5B08CDADA054ECD39A453D39F1E1A4C1D6AEFCB2310599D963A6270C6A2B8E56DBB9C0C9300AC308F7E9EBDF6902824FE6BF

File update time: 2024-07-16 19:19:45

Certificate file and private key file are matched.

FGT #

It will show the result with 'Certificate file and private key file are matched' Message. Try then to access to the FortiGate GUI again, it should work.