Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
cmaheu
Staff
Staff

Created on ‎12-31-2018 11:17 AM Edited on ‎12-13-2024 02:07 AM By Moderator

Article Id 197960

Technical Tip: Persistent Agent fails to communicate with 'SSL_get_verify_result' log entry

Description

 

This article describes the various 'SSL_get_verify_result' error code values found in the Persistent Agent log 'general.txt' and probable causes for each.
The file location:
Windows: C:\ProgramData\Bradford Networks\general.txt
 

Scope

 

FortiNAC.


Solution

 

Symptom: Persistent Agent is not communicating (unable to scan, receive messages, etc.). 
 
Retrieve the agent debug logs from one of the affected machines. For instructions, refer to the KB articles below.
 

The following entries can be found in general.txt log:

 

SSL_get_verify_result = 10 - Certificate has expired.

SSL_get_verify_result = 13 - Certificate chain contains a self-signed certificate.

SSL_get_verify_result = 14format error in certificate's notAfter field

SSL_get_verify_result = 18 - Self-signed certificate in use.

SSL_get_verify_result = 19 - End stations is missing root certificate.

SSL_get_verify_result = 20 - Appliance is missing or has incorrect intermediate certificates installed.

SSL_get_verify_result = 22 - certificate chain too long.

SSL_get_verify_result = 0 - Success.

 

The messages in detail (apart from success):

 

SSL_get_verify_result = 10


Verify certification expiration by navigating to System -> Settings -> Security -> Certificate Management in the UI.

 

SSL_get_verify_result = 13

 

(Persistent Agent that works on MACOS):

This is in general no issue, but the TLS server should not send the rootCA (which is self-signed); the certificate has to be present on the client anyway. The agent might throw this message, but later agents, 10.7.1.9 or above, will not show this anymore.

 

SSL_get_verify_result = 18

 

The server certificate is self-signed and has no valid certificate chain.

 

SSL_get_verify_result = 19

 

Verify root certificates on the end station. See the following articles:

 

SSL_get_verify_result = 20

Verify intermediate certificates on the appliance. See Technical Note: Identify missing SSL certificates via administration UI.
 

SSL_get_verify_result = 22

 

Change 'caTrustDepth' value for Persistent Agent depending on the certificate chain length. 

This refers to the byte size of the whole certificate chain, which happens to be too large. See code 13 as well, no rootCA certificate is required to be sent by the server, it must be present on the client already.

 

All verified error codes can be found in the OpenSSL manual.

 

If the certificate is expired, renew it. See the Renew a Certificate section in the SSL Certificates reference manual.

 

Error 14 usually happens on MacOS as Apple requires the certificates to be valid for less than 397 days in total. See this Apple support article for more information. The validity of certificates can be verified from the MacOS Agent logs.

 

For example:

 

Validity
Not Before: Dec 12 19:28:50 2023 GMT
Not After : Dec 11 19:28:50 2025 GMT

 

Related articles:

7745
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.