| Description | This article describes how to troubleshoot the fcnacd error: 'Certificate user does not have access to global.'. |
| Scope | FortiGate. |
| Solution |
Debugging fcnacd:
diagnose debug reset
Sample error message in debug:
[ec_ez_worker_base_prep_resolver:374] Outgoing interface index 0 for 1 (ems.fortinet.com). [__get_ec_fctems_certificate_info:431] ems cert ca_cn: C = DE, ST = Hamburg, L = Hamburg, O = Fortinet, CN = EOS IT Services Internal Server Issuing CAxaaspfems01.eos.lcl [__get_ec_fctems_certificate_info:432] ems cert fingerprint: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX [__match_server_cert_key:487] verify_peer_method: 4 [__match_server_cert_key:505] ret=1 [ec_ez_worker_process:368] Processing call for obj-id: 0, entry: "api/v1/system/serial_number"
The above error is prompted when EMS is configured in multi-tenant mode and FortiGate is not configured with the correct domain name which is the requirement of EMS in multi-tenant mode.
The most common reason for this error is providing only the global domain name in EMS connector settings such as in the above example: global FQDN is 'ems.fortinet.com'.
The domain name should have been provided as follows:
<tenant-name>.<global-fqdn>
Important Note: FortiGate should be able to resolve the subdomain.
In the following example, the EMS server is configured in multi-tenant mode. When multitenancy is enabled initially there are two sites: global, where global settings can be set and viewed, and default. The following example has configured site 'office'.
To create a fabric connector with the 'office' tenant, the correct domain name should be 'office.ems.fortinet.com'
|
