| Description | This article describes how to troubleshoot an issue where the FortiGate’s FortiClient EMS fabric connector is showing down with the error 'EMS certificate not authorized'. |
| Scope | FortiGate, FortiClient EMS. |
| Solution |
This error occurs when the EMS certificate cannot be validated against a remote CA. The first step to take is ensuring all the certificates in the chain of trust are installed on the FortiGate. For instructions on installing the certificates see FortiGate HTTPS/SSL Certificate Installation (PFX, PKCS12 and PEM)
If the certificates have already been installed and the error still appears, run the fcnacd debug to determine the cause of the issue.
diagnose debug application fcnacd -1 diagnose debug enable
Check for the following error:
[__worker_handle_certinfo:292] Certificate callback error -1: Error (-1@_check_verify_ems_ca:759). CMDB error: ems 1 (ems.domain.com) has verifying CN but not CA CN. (_dup_and_check_server_cert_cn_ca,876) (_duplicate_and_check_server_certificate,960)Failed to handle server certificate CN and verifying CA.
This can be resolved in two ways.
config endpoint-control fctems edit <id> set verifying-ca <certificate> next end
config endpoint-control fctems edit <id> set trust-ca-cn [enable|disable] next end
For more information about how the trust-ca-cn setting works, see the documentation Allow FortiClient EMS connectors to trust EMS server certificate renewals based on the CN field
Non-Root FortiGate Cannot Set verifying-ca in Security Fabric
When attempting to set `verifying-ca <certificate>` on a non-root FortiGate results in the error: 'Modification not allowed unless 'configuration-sync' is set to 'local''
Solution Steps:
Note: Verify the correct CA certificate by checking the serial number when selecting 'Authorize' on the non-root FortiGate.
|
