Description
Scope
Solution
The following entries can be found in general.txt log:
SSL_get_verify_result = 10 - Certificate has expired.
SSL_get_verify_result = 13 - Certificate chain contains a self-signed certificate.
SSL_get_verify_result = 18 - Self-signed certificate in use.
SSL_get_verify_result = 19 - End stations is missing root certificate.
SSL_get_verify_result = 20 - Appliance is missing or has incorrect intermediate certificates installed.
SSL_get_verify_result = 22 - certificate chain too long.
The messages in detail (apart from success):
SSL_get_verify_result = 10:
Verify certification expiration by navigating to System -> Settings -> Security -> Certificate Management in the UI.
SSL_get_verify_result = 13 (Persistent Agent that works on MACOS):
This is in general no issue, but the TLS server should not send the rootCA (which is self-signed); the certificate has to be present on the client anyway. The agent might throw this message, but later agents, 10.7.1.9 or above, will not show this anymore.
SSL_get_verify_result = 18:
The server certificate is a self-signed certificate and has no valid certificate chain.
SSL_get_verify_result = 19:
Verify root certificates on the end station. See the following articles:
SSL_get_verify_result = 22:
Change 'caTrustDepth' value for Persistent Agent depending on your certificate chain length.
This refers to the byte size of the whole certificate chain, which happens to be too large. See code 13 as well, no rootCA certificate is required to be sent by the server, it must be present on the client already.
All verified error codes can be found in the OpenSSL manual.
If the certificate is expired, renew it. See the Renew a Certificate section in the SSL Certificates reference manual.
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.