Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎12-31-2018 11:17 AM Edited on ‎04-23-2025 09:29 PM By Community Manager

Article Id 197960

Technical Tip: Persistent Agent fails to communicate with 'SSL_get_verify_result' log entry

Description

 

This article describes the various 'SSL_get_verify_result' error code values found in the Persistent Agent log 'general.txt' and probable causes for each.
The file location:
Windows: C:\ProgramData\Bradford Networks\general.txt
 

Scope

 

FortiNAC.


Solution

 

Symptom: Persistent Agent is not communicating (unable to scan, receive messages, etc.). 
 
Retrieve the agent debug logs from one of the affected machines. For instructions, refer to the KB articles below.
 

The following entries can be found in the general.txt log:

 

SSL_get_verify_result = 0 - Success.

SSL_get_verify_result = 2 - Unable to get issuer certificate.
SSL_get_verify_result = 3 - Unable to get certificate CRL.
SSL_get_verify_result = 4 - Unable to decrypt certificate’s signature.

SSL_get_verify_result = 5 - Unable to decrypt CRL’s signature.
SSL_get_verify_result = 6 - Unable to decode issuer public key.
SSL_get_verify_result = 7 - Certificate signature failure.

SSL_get_verify_result = 8 - CRL signature failure.

SSL_get_verify_result = 9 - Certificate is not yet valid.

SSL_get_verify_result = 10 - Certificate has expired.

SSL_get_verify_result = 11 - CRL is not yet valid.

SSL_get_verify_result = 12 - CRL has expired.

SSL_get_verify_result = 13 - Format error in certificate’s notBefore field.

SSL_get_verify_result = 14 - Format error in certificate’s notAfter field.

SSL_get_verify_result = 15 - Format error in CRL’s lastUpdate field.

SSL_get_verify_result = 16 - Format error in CRL’s nextUpdate field.

SSL_get_verify_result = 17 - Out of memory.

SSL_get_verify_result = 18 - Self-signed certificate in use.

SSL_get_verify_result = 19 - End stations is missing root certificate.

SSL_get_verify_result = 20 - The issuer certificate of an untrusted certificate cannot be found.

SSL_get_verify_result = 21 - Unable to verify the first certificate.
SSL_get_verify_result = 22 - Certificate chain too long.
SSL_get_verify_result = 23 - The certificate has been revoked.
SSL_get_verify_result = 24 - Invalid CA certificate.
SSL_get_verify_result = 25 - Path length constraint exceeded.
SSL_get_verify_result = 26 - The supplied certificate cannot be used for the specified purpose.
SSL_get_verify_result = 27 - The root CA is not marked as trusted for the specified purpose.
SSL_get_verify_result = 28 - The root CA is marked to reject the specified purpose.
SSL_get_verify_result = 29 - Subject issuer mismatch.
SSL_get_verify_result = 30 - Authority and subject key identifier mismatch.
SSL_get_verify_result = 31 - Authority and issuer serial number mismatch.
SSL_get_verify_result = 32 - Key usage does not include certificate signing.
SSL_get_verify_result = 33 - Application verification failure.

 

The messages in detail (apart from success):

 

SSL_get_verify_result = 10


Verify certification expiration by navigating to System -> Settings -> Security -> Certificate Management in the UI.

 

SSL_get_verify_result = 13

 

(Persistent Agent that works on MACOS):

This is in general no issue, but the TLS server should not send the rootCA (which is self-signed); the certificate has to be present on the client anyway. The agent might throw this message, but later agents, 10.7.1.9 or above, will not show this anymore.

 

SSL_get_verify_result = 18

 

The server certificate is self-signed and has no valid certificate chain.

 

SSL_get_verify_result = 19

 

Verify root certificates on the end station. See the following articles:

Technical Tip: Verify trusted Certificate Authorities on Windows or MacOS

Technical Tip: Persistent Agent MacOS TLS Handshake Issue

 

SSL_get_verify_result = 20

Verify intermediate certificates on the appliance. See Technical Note: Identify missing SSL certificates via administration UI.
 

SSL_get_verify_result = 22

 

Change 'caTrustDepth' value for the Persistent Agent depending on the certificate chain length. 

This refers to the byte size of the whole certificate chain, which happens to be too large. See code 13 as well, no rootCA certificate is required to be sent by the server, it must be present on the client already.

 

All verified error codes can be found in the OpenSSL manual.

 

If the certificate has expired, renew it. See the Renew a Certificate section in the SSL Certificates reference manual.

 

Error 14 usually happens on macOS as Apple requires the certificates to be valid for less than 397 days in total. See this Apple support article for more information. The validity of certificates can be verified from the macOS Agent logs

 

For example:

 

Validity
Not Before: Dec 12 19:28:50 2023 GMT
Not After : Dec 11 19:28:50 2025 GMT

 

Related articles:

Troubleshooting Tip: Troubleshooting the Persistent Agent

Technical Tip: Persistent Agent MacOS TLS Handshake Issue

Troubleshooting Tip: MacOS persistent agent SSL_get_verify_result = 14 

9370
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.