Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
SimranRana
Staff
Staff

Created on ‎03-19-2025 06:51 AM

Article Id 383143

Troubleshooting Tip: Secondary FortiGate with an HA Reserved Management Interface cannot be accessed using HTTPS after upgrading from FortiOS version 7.4.3

Description This article describes the steps to follow when encountering an issue where standby unit in HA is not accessible via HTTPS after the upgrade from 7.4.3.
Scope FortiOS up to v7.2.11, v7.4.4 and v7.6.0.
Solution

While upgrading from FortiOS 7.4.3 to another version of FortiOS, the secondary FortiGate in HA with HA Reserved Management Interface can become inaccessible via HTTPS.

 

This will not impact the SSH and console port access.

 

This issue can happen due to the Certificate file and private key file mismatch on Secondary firewall of HA.

 

To verify the issue, first run the following command to verify if FortiGate is using customized or default certificate for GUI access:

 

FGT1 # show full-configuration system global | grep "admin-server-cert"
 set admin-server-cert "Fortinet_GUI_Server"

 

After, run the following command on both the primary and secondary firewall:

 

FGT1 # exec vpn certificate local verify Fortinet_GUI_Server

 

To run the command on secondary firewall, it can also be accessed through the CLI of the Primary firewall.

 

On the secondary unit, output with a 'Certificate file and private key file are mismatched' message will be shown, along with the details similar to this:

 

FGT2 # exec vpn certificate local verify Fortinet_GUI_Server

Certificate modulus:
Modulus=B9EA80D68412F06543950E0E20DF1E6B3E078876B72FBD355BE8763A3E60EAD195E5BFD32FB9865ED70608D839B543135A

D4ED39F8AF30CE5C0CE1822AE41EEC41D06BD0D8FBE6BA6709347469CCD4A61F4E37C3177F1DC482777953FF0B07356D6A178FD8EA

85C949AD9884640A5610574C00D060495C8EECF913EC9B1921D94877A996DCE072FCBBA1E3319FFBE23BF4AC6B39A38508D90C812B

F3A99616C401E54CCB9621105121B071441669CA3459849424DF3674FF2F59D6AB990BB78F4C9E40F0B3F60CA2EB73D4B7DB7FD005

87374FFA91C504A82EAA264AFC438F19CE3E865A64384C63E22FCDA5921D7ED0B3B7A76BB0BB348412E5178C4E364A4E5283819D40

DC25FE3642035B97E1B3F73C36480C824A916B59DD7D9CF9645F195126E6A3EA1E8BE145AE2599FEE443B3BCE6F11C0EC3A9D08E38

5A25615E9B634B858BB2F7ADB1F0ABA538D54B4FE10FF94273554592063666A8BF383784ED2EBA1C9C2F9AE6424B7115E9422F4131

24EB57B11AE83DDF8B615667B536D6E6968A74B35766CFDD1ED32700E0B445498A97A2BFC330D9F1D2AFE9F2F71418876D485D2C1A

8129C4CA404146E47CC21D5C7ADD0CF84113D7296096951AC58AA90CE6D52A48A0FD1C9CBBF40A9ABD7C0DC91E42D55EAB49887758

40AC27C29A0BB23A55D16565407B5F672D618BF05DB0B8B3A18330E2D855F424AF8C66DFE72547
File update time: 2024-12-16 22:45:09
Private key modulus:
Modulus=A4F069A5E82B8B459E9C656CD1E6E97E78CACACAAE032343060192FA8394FC3B40798F06D4E3EF61CC95CB57D60FACF570

EA3138AFA693EE7883059C5596FF9DFF6D0F24E4DBADD167E0F64F9605D880AC52DD5FCEBE1C0879FDDB9A98120F8C77617818DC2D

B1891F96272C72F15CBC6031B6252D97D488EBDC795420D714294D56FCE40DE5AB3E1438FF5269CB7A8E2CD73D26AC8A62CBF88940

3F964486B7B189696F1C367004DC3266B7AB61CB510061B7B7DE39DAAEA7C6316AE427ADA6AB103A7B063D852BE480BCCF38764214

DB79D0CB11C147E9032DFACB4AC0BD8DE32F8E8B7893CB4E482120711EBCBE8C57E0602AE08566F71CFD5AF8DFD72594649DD2AB81

3CF6A91A9A8CBF84F7000A6B4B7FF0EEA1F9F787DC73921B492BFEF7584DD5038E985972A1BD5CCA92E130E7EB01E075BF0083C628

C8D6D42277F083B2FFC8A57AF069E5EBF644D62EBCC4F8B3D5697A28B19EF1811C47FBF2B597D29C7EFE721E9CF0CCA831ABC05B26

7E46F2176FFD603C6D766B9535ABDAD9F5527758F5C3160E5EBD1ACC8518AF2A1154FD850A2735E13F519E035C50E7B75588183E92

0C37C8574999C90E1E2ECAACEFF8C0F09B1E5D91EF453DB1F8DEF1F1F21508562A2A3ECA33BD483DA88AE4B3328B75F207A86302D6

E9C5B79A0CC4B12EE755F40B3F85DA43B19D8D15AEEDABF3B946B0302E425F0AAE70991E385927
File update time: 2024-12-16 22:47:40
Certificate file and private key file are mismatched.

 

Run the CLI command to fix the mismatch by regenerating the certificate: 

 

FGT2 # execute vpn certificate local generate default-gui-mgmt-cert
Are you sure to re-generate the default GUI admin-server certificate?
Do you want to continue? (y/n)y

Certificate generation started, Please check it in a while.

FGT2 #

 

Wait for some time and then run the CLI command below to verify:

 

FGT2 # exec vpn certificate local verify Fortinet_GUI_Server
Certificate modulus:
Modulus=AC2B584C5C6FA88683F5969A68EFC5AFCC8334F3FA96B97905D4B0146DD6896C6BB6519DBEFED9B11F5D58AE2C17A7803E

DF71253C70C6B75A9FBB8AFCCB08C263F05A8AB6A85EA1B548724ADF5CED4503DA062BA542FE3C1A7D14782803FFFAE03E22A2DE37

38AE10EFC8C64F33AAA739920023C64E74030C040988C0E9697A23146D8E4EC30E0FD1ED2986AA6045E4440F040D44F958D2B22DC6

60EBBA1362842D2A6019C5BC182F9289A708DF27571EB401365DDF8BFEFCDC79C81B2E48B5A228582505D4A520E5802D24FB4ED74C

7E9C08CC3B79B8DBE8BC249192318472A564DB1221D330A5F683F60001651822A803C0A260EC74A1A4C62EFFF76E38F05E278DF26B

5ACF38067A7496775E94AE54DF4B58872D6CDDE9CB6E5DC44C2D46122902C9BA223A690131A1DE8C72A56FA4910B6A4A7E9658D5C5

ED5B056A9130A9024C4161302B122C7614F281F7EFED2609B778F7DD214A9BB3889F6EFCEC8200CD4231710324AD56B290798C51A7

564595ACCBE55C4879605A80DD76DD9ADF44C7A90A86965A2E1292959808206B4D5FD03FD70A3F72E929A9DF1C4B937EF015BF2A77

2BF344E05FCAB655785D6FD5E64D404CA9FD76319934EE03B409F571EC710F20D9D4C15ECB7A5E7C5AF76DF4BA86D8F5924217D26E

8B116D21862C4CAC7F957F3AB5A5BCCE9A7C4049F1B3BC004285A1FB227BD7FCBE51CB6FACB297
File update time: 2025-03-19 12:35:21
Private key modulus:
Modulus=AC2B584C5C6FA88683F5969A68EFC5AFCC8334F3FA96B97905D4B0146DD6896C6BB6519DBEFED9B11F5D58AE2C17A7803E

DF71253C70C6B75A9FBB8AFCCB08C263F05A8AB6A85EA1B548724ADF5CED4503DA062BA542FE3C1A7D14782803FFFAE03E22A2DE37

38AE10EFC8C64F33AAA739920023C64E74030C040988C0E9697A23146D8E4EC30E0FD1ED2986AA6045E4440F040D44F958D2B22DC6

60EBBA1362842D2A6019C5BC182F9289A708DF27571EB401365DDF8BFEFCDC79C81B2E48B5A228582505D4A520E5802D24FB4ED74C

7E9C08CC3B79B8DBE8BC249192318472A564DB1221D330A5F683F60001651822A803C0A260EC74A1A4C62EFFF76E38F05E278DF26B

5ACF38067A7496775E94AE54DF4B58872D6CDDE9CB6E5DC44C2D46122902C9BA223A690131A1DE8C72A56FA4910B6A4A7E9658D5C5

ED5B056A9130A9024C4161302B122C7614F281F7EFED2609B778F7DD214A9BB3889F6EFCEC8200CD4231710324AD56B290798C51A7

564595ACCBE55C4879605A80DD76DD9ADF44C7A90A86965A2E1292959808206B4D5FD03FD70A3F72E929A9DF1C4B937EF015BF2A77

2BF344E05FCAB655785D6FD5E64D404CA9FD76319934EE03B409F571EC710F20D9D4C15ECB7A5E7C5AF76DF4BA86D8F5924217D26E

8B116D21862C4CAC7F957F3AB5A5BCCE9A7C4049F1B3BC004285A1FB227BD7FCBE51CB6FACB297
File update time: 2025-03-19 12:35:21
Certificate file and private key file are matched.

 

It will now show the output as 'Certificate file and private key file are matched'. Try to access the Standby unit GUI again. It should be accessible.

 

This issue cannot be reproduced if upgrade is performed from v7.4.4.


The final fix for this issue is implemented in v7.4.8 and v7.6.3 GA release.
161
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.