Don't use more than 23 characters for your ADOM name.
Ran into this and wanted to post about it, in case someone else encounters it.
Issue was that doing policy package installs against a FGT the FMG would always want to install a VPN CA certificate, but fail. Even though the certificate would appear to be on the FGT. The failed install log would show something like:
Copy device global objects "vpn certificate ca", "CUSTOMER-ADOM-NAME-IS-HERE_Internal_CA", id=893, COMMIT FAIL - duplicate
The problem is that FMG (5.4.1) will automatically create VPN CA certificates based on the ADOM name, the maximum character length for certificates is 35 characters, and it will add "_Internal_CA" to the end of the certificate name. In this case, this was more than 35 characters so the FMG was never able to properly install the cert.
Interesting, both FMG and the FGT showed the actual certificate name was truncated to be the proper length of characters, so some meta field inside FMG was being used against the FGT - not the name you would see in the FMG WebUI.
To fix this I had to:
[ol]
Just renaming the ADOM didn't work - that change didn't trickle down behind the scenes to change the name FMG wanted to use for the certificate.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
@montoro - I ran into a similar issue in my lab... In my case the root_CA2 certificate was not being used or referenced anywhere. To resolve the problem I added CA Certificates to view (not enabled by default) and deleted the root_CA2 certificate.
(Policy & Objects > Object Configurations > Tools > Display Options > Advanced > CA Certificates)
[image][/image]
Go back to Device Manager and re-synchronize device settings from the problem FortiGate(s). Once the config status is synchronized you can push the policy package to your FortiGate(s) and you should notice the root_CA2 certificate is no longer being pushed to your devices.
*To manually synchronize the device configuration in the GUI you can open the problematic device > Open Revision History > and select Retrieve Config
[image][/image]
Hope that helps you.
#GNS3 #KVM
Copy device global objects
Post vdom failed: error vpn certificate ca - root_CA2 :-2 - This CA certificate is duplicated.
Basically every FGT has pre-installed Fortinet-Root-CA, So when you manage the FGT from FMG, manager also trying to push the same root CA again as per its global objects settings, which is not needed hence disable the same from FMG so that it does not make any such duplicate attempt to install the same root CA-
Policy & Objects -- > Object Configuration -- > CLI only objects -- > vpn --> certificate --> ca --> select and delete root_CA2
Hi,
I found out where is the problem!
The problem is that you can't see these certificates until you select that you would like to see them in FortiManager:
- Double click your device in FortiManager
- Disply Options
- Under System - select Certificates (you have to choose Customize)
- Now you can choose Certificates in the menu
- Just delete Root2_CA certificate
...and now you can deploy!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1095 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.