FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff
Article Id 197960

Description

 

This article describes the various 'SSL_get_verify_result' error code values found in the Persistent Agent log 'general.txt' and probable causes for each.
The file location:
Windows: C:\ProgramData\Bradford Networks\general.txt
 

Scope

 

FortiNAC.


Solution

 

Symptom: Persistent Agent is not communicating (unable to scan, receive messages, etc.). 
 
Retrieve the agent debug logs from one of the affected machines. For instructions, refer to the KB articles below.
 

The following entries can be found in general.txt log:

SSL_get_verify_result = 10 - Certificate has expired.

SSL_get_verify_result = 13 - Certificate chain contains a self-signed certificate.

SSL_get_verify_result = 18 - Self-signed certificate in use.

SSL_get_verify_result = 19 - End stations is missing root certificate.

SSL_get_verify_result = 20 - Appliance is missing or has incorrect intermediate certificates installed.

SSL_get_verify_result = 22 - certificate chain too long.

SSL_get_verify_result = 0 - Success.

 

The messages in detail (apart from success):

SSL_get_verify_result = 10:
Verify certification expiration by navigating to System -> Settings -> Security -> Certificate Management in the UI.

SSL_get_verify_result = 13 (Persistent Agent that works on MACOS):

This is in general no issue, but the TLS server should not send the rootCA (which is self-signed); the certificate has to be present on the client anyway. The agent might throw this message, but later agents, 10.7.1.9 or above, will not show this anymore.

SSL_get_verify_result = 18:

The server certificate is a self-signed certificate and has no valid certificate chain.

SSL_get_verify_result = 19:
Verify root certificates on the end station. See the following articles:

SSL_get_verify_result = 20:
Verify intermediate certificates on the appliance. See Technical Note: Identify missing SSL certificates via administration UI.

SSL_get_verify_result = 22:

Change 'caTrustDepth' value for Persistent Agent depending on your certificate chain length. 

This refers to the byte size of the whole certificate chain, which happens to be too large. See code 13 as well, no rootCA certificate is required to be sent by the server, it must be present on the client already.

 

All verified error codes can be found in the OpenSSL manual.

 

If the certificate is expired, renew it. See the Renew a Certificate section in the SSL Certificates reference manual.

 

Related articles:

Technical Note: Troubleshooting the Persistent Agent.

Technical Tip: Persistent Agent MacOS TLS Handshake Issue.