Hello FortiClient admins
I have two Ubuntu clients with FortiClient 7.4.0 installed.
Both are registered.
The first hosts can access apps through ZTNA destination, while the second shows the following error: "No ZTNA client certificate was provided"
Following a quick search I found that the first node has a client certificate "/opt/forticlient/ems_cert.crt", while the second doesn't. "Probably" the certificate was removed due to a previous uninstall with purge.
Tried to unregister the endpoint an re-register it again but didn't help.
Any idea on how I can reinstall the client certificate on the host?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @AEK ,
This machine worked before, right?
Also, does your machine have a TPM 2.0 chip? You can check the TPM version with this command on ubuntu.
sudo dmesg | grep -i tpm
https://docs.fortinet.com/document/forticlient/7.4.0/linux-release-notes/745986/special-notices
Found in system events that the client certificate was revoked few days ago (by mistake). That is most probably the reason.
Couldn't find on the EMS GUI how to issue/install a new client certificate on the affected client. Any idea?
Hi @AEK ,
Normally, after the relevant certificate is revoked, it should be automatically recreated. It seems like EMS could not redistribute it.
Maybe if you delete FortiClient from the client, deregister the relevant client from EMS, then delete the relevant client's registration from EMS and then re-install it on the client, I think this could fix the situation.
Hi Ozkan
Thanks for the feedback, but it didn't help.
Uninstalled and purged and unregistered and deleted and removed client ID from the client, the re-installed but still the same issue: The client certificate is still not present in /opt/forticlient, and ZTNA Status for the endpoint is still shown "Revoked" on EMS WebUI.
Hi @AEK ,
This machine worked before, right?
Also, does your machine have a TPM 2.0 chip? You can check the TPM version with this command on ubuntu.
sudo dmesg | grep -i tpm
https://docs.fortinet.com/document/forticlient/7.4.0/linux-release-notes/745986/special-notices
Hi Ozkan
I think you put your finger on the right root cause.
Here is the output:
[ 0.300457] tpm_tis 00:0b: 1.2 TPM (device-id 0x1B, rev-id 16)
[ 0.313052] tpm tpm0: TPM is disabled/deactivated (0x7)
[ 0.313061] tpm tpm0: tpm_read_log_acpi: TCPA log area empty
[ 0.646143] ima: Error Communicating to TPM chip
[ 0.648535] ima: Error Communicating to TPM chip
[ 0.651548] ima: Error Communicating to TPM chip
[ 0.654174] ima: Error Communicating to TPM chip
[ 0.656532] ima: Error Communicating to TPM chip
[ 0.658530] ima: Error Communicating to TPM chip
[ 0.661517] ima: Error Communicating to TPM chip
[ 0.664498] ima: Error Communicating to TPM chip
Hi @AEK ,
The problem is 100% caused by this. FortiClient stores ZTNA certificates in the TPM chip. For security purposes, if there is no TPM 2.0 chip on the machine, unfortunately, it does not generate certificates.
Thanks Ozkan.
Your advice was helpful and time saving.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1707 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.