Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
iskandar_lie
Staff
Staff

Created on ‎01-17-2023 08:23 AM Edited on ‎10-22-2024 09:56 PM By Community Manager

Article Id 243126

Troubleshooting Tip: FortiGuard Update Fail - Server certificate failed verification

Description

 

This article explains how to troubleshoot an update failure on a FortiGate that occurs with a 'Server certificate failed verification' warning to check if a failed certificate is responsible.

 

Scope

 

FortiGate.

 

Solution

 

FortiGate may fail to fetch an update from FortiGuard for multiple reasons. This article will focus on certificate issues.

 

Follow this step-by-step process to isolate the problem.

 

  1. Check internet connection and DNS resolution:

 

execute ping guard.fortinet.net

execute ping service.fortiguard.net

execute ping update.fortiguard.net

 

If they are working as expected, a response will be received. If so, move on to step 2.

 

  1. Perform a debug-enabled update to check which process fails during the update.

 

diag debug reset

diag debug application update 1

diag debug enable

exec update-now<-----Triggers the update process, obtaining the output of the debug action. Let it run for around 1 minute.)

 

To disable and deactivate the debug process:

 

diag debug disable

diag debug application update 0  

diag debug reset

 

If FortiGate is in multi-VDOM mode, the update must be run in global VDOM.

 

Example output:

 

__upd_peer_vfy[331]-Server certificate failed verification. Error: 19 (self signed certificate in certificate chain), depth: 1, subject: /C=US/ST=California/L=Sunnyvale/O=Fortinet/OU=Certificate Authority/CN=support/emailAddress=support@fortinet.com.

ssl_connect_fds[392]-Failed SSL connecting (5,0,Success)

upd_comm_connect_fds[476]-Failed SSL connect

upd_act_HA_contract_info[779]-Error updating FSCI -1

 

The error displays that a failed certificate verification is the cause of the problem. Run a diagnosis on hardware certificates:

 

diag hardware certificate

Checking Fortinet_CA.cer integrality ........Passed

Checking Fortinet_Factory.cer integrality ........Passed

Checking Fortinet_Factory.cer key-pair integrality ........Passed

Checking Fortinet_Factory.cer Serial-No. ........[Not Matched]

Checking Fortinet_Factory.cer timeliness ........Passed

Checking Fortinet_Factory.key integrality ........Passed

 

The [Not Matched] certificate is the root cause.

To fix this, download the highlighted certificate and open it:

 

iskandar_lie_0-1673960724656.png

 

The certificate 'issued to' information will most likely be missing. This information contains the FortiGate serial number from the device.

 

iskandar_lie_1-1673960762970.png

 

To solve this issue, perform a fresh install of the OS:

Technical Tip: Installing firmware from system reboot

 

Always verify the downloaded OS with checksum validation to confirm the security and integrity of the installer:

Technical Tip: How to verify downloaded firmware checksum

 

For a High Availability firewall, the step-by-step process to solve the issue will be simila:

 

  1. Perform 'diag hardware certificate' on both firewalls.
  2. It may be necessary to failover to another device due to the fact that only the master unit will perform the update. In this case, isolate which device has the certificate issue. Refer to the above process.
  3. As in the solution above, perform a fresh install of the OS of the affected device. See the attached .pdf file for step-by-step breaking and rebuilding instructions for an HA cluster.
  4. Verify the certificate bundle version is up-to-date on both units using the below command:

 

diagnose autoupdate versions | grep -A7 'Certificate Bundle'

There could be several reasons as shown in below command output:

 

Certificate Bundle
---------
Version: 1.00052
Contract Expiry Date: n/a
Last Updated using manual update on Thu Oct 10 17:45:00 2024
Last Update Attempt: Tue Oct 22 06:48:32 2024
Result: Connectivity failure  <--- make sure this is updated

 

Or :

 

Certificate Bundle
---------
Version: 1.00052
Contract Expiry Date: n/a
Last Updated using manual update on Thu Oct 17 14:54:47 2024
Last Update Attempt: Tue Oct 22 10:17:34 2024
Result: No Updates  <----- Make sure this is updated.

 

If the certificate above mentioned is there in both the units in the cluster and if the certificate status shows 'Pass' with the above commands, would recommend rebooting the primary and secondary devices. Wait for a while and the issue will be fixed.

Related articles:

Technical Tip: Failed to contact FortiGuard servers due to unknown CA

Technical Tip: How to check most updated security version database on FortiGate

Preview file
214 KB
12465
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.