FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
This article describes how to resolve a scenario where FortiManager HA is not syncing or forming when using custom certificates with SAN values configured.
Scope
v6.4.0, 7.0.0, 7.2.0, 7.4.0 and above.
Solution
When running HA debug, the following errors can be seen printed:
2024-06-17 16:47:51 free connection to 172.27.x.x 2024-06-17 16:48:06 accepted connection from 172.27.x.x [ERROR] client ssl error 1,error:00000001:lib(0)::reason(1), errno=0,Success [ERROR] accept ha communication fatal error 2024-06-17 16:48:06 free connection to 172.27.x.x
When both CN and SAN are configured in a custom certificate, HA requires SAN to be the serial of the relevant FortiManager as it is used for verification of identity instead of CN. Existing SAN values do not need to be removed. The requirement is just for serial to be added as part of the values.
Once the serial of the Fortimanager has been added to the SAN values, HA should come up.
