Hot!Cannot sync VPN CA certificate from FMG to FGT [FIXED]

Author
ergotherego
Gold Member
  • Total Posts : 129
  • Scores: 14
  • Reward points: 0
  • Status: offline
2016/11/15 18:50:09 (permalink)
0

Cannot sync VPN CA certificate from FMG to FGT [FIXED]

Don't use more than 23 characters for your ADOM name.
 
Ran into this and wanted to post about it, in case someone else encounters it.
 
Issue was that doing policy package installs against a FGT the FMG would always want to install a VPN CA certificate, but fail. Even though the certificate would appear to be on the FGT. The failed install log would show something like:
 
Copy device global objects
"vpn certificate ca", "CUSTOMER-ADOM-NAME-IS-HERE_Internal_CA", id=893, COMMIT FAIL - duplicate
 
The problem is that FMG (5.4.1) will automatically create VPN CA certificates based on the ADOM name, the maximum character length for certificates is 35 characters, and it will add "_Internal_CA" to the end of the certificate name. In this case, this was more than 35 characters so the FMG was never able to properly install the cert.
 
Interesting, both FMG and the FGT showed the actual certificate name was truncated to be the proper length of characters, so some meta field inside FMG was being used against the FGT - not the name you would see in the FMG WebUI.
 
To fix this I had to:
 
  1. Purge the ADOM. Delete the device and policy package
  2. Re-create the ADOM using a shorter name (23 characters or less)
  3. Re-add device and re-import the policy
Just renaming the ADOM didn't work - that change didn't trickle down behind the scenes to change the name FMG wanted to use for the certificate.
#1
chirag.rao
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/17 07:24:54
  • Status: offline
Re: Cannot sync VPN CA certificate from FMG to FGT [FIXED] 2018/10/18 23:06:36 (permalink)
0
I am facing the same problem. The ADOM name does not exceed 35 characters. The ADOM name I am using is test, still I get the same VPN certificate error when pushing a policy. Any suggestions?
 
Regards,
Chirag
post edited by chirag.rao - 2018/10/19 01:23:02
#2
ergotherego
Gold Member
  • Total Posts : 129
  • Scores: 14
  • Reward points: 0
  • Status: offline
Re: Cannot sync VPN CA certificate from FMG to FGT [FIXED] 2018/10/19 09:26:49 (permalink)
0
What version of FMG are you running?
 
I haven't run into this issue since then (2 years ago) but the ADOM name could not be longer than 23 characters, to account for the total character length of a certificate (35 characters) when that extra stuff is added on the end.
 
You said the name of your ADOM is "test". Did you rename your ADOM? Renaming my ADOM did not fix it for me, I had to actually delete the ADOM and re-create from scratch with a shorter name.
#3
chirag.rao
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/17 07:24:54
  • Status: offline
Re: Cannot sync VPN CA certificate from FMG to FGT [FIXED] 2018/10/19 23:04:37 (permalink)
0
Hi,
 
I really appreciate your prompt response. I am using FortiManager 5.4 as well as FortiGate 5.4. I have not renamed the ADOM name. I created a fresh ADOM named "test" (without quotes), still the issue persists. I tried with/without ADOMs, still the same issue. Kindly advise further.
 
Regards,
 
Chirag
#4
chirag.rao
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/17 07:24:54
  • Status: offline
Re: Cannot sync VPN CA certificate from FMG to FGT [FIXED] 2018/10/20 07:06:33 (permalink)
0
Hi,
 
I tried it on a physical FortiGate unit, and it works just fine. It looks like there is some issue while adding a FortiGate VM. I don't know why the certificate error occurs when I push a policy from FortiManager to FortiGateVM.
 
Errors: 
"Input is not a valid CA certificate. 
F565 (root_CA2) $ set range global
F565 (root_CA2) $ next
The field ca is empty!"
 
I tried the default hostname of FortiGate as well as a short one "F565". This is version 5.6.5. Same issue with 5.4.2 version.
 
Regards,
Chirag
 
#5
hagenaarsp
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/09/15 23:20:52
  • Status: offline
Re: Cannot sync VPN CA certificate from FMG to FGT [FIXED] 2018/10/22 23:34:52 (permalink)
0
I have the same issue only with version 6.02
 
Start installing
FW-RZB-01 $ config vpn certificate ca
FW-RZB-01 (ca) $ edit "AVR10_CA2"
FW-RZB-01 (AVR10_CA2) $ set ca "-----BEGIN CERTIFICATE-----
FW-RZB-01 (AVR10_CA2) $ MIIDADCCAeigAwIBAgIgNkI2NkQwMDlCMDMyNDQyRkU0NkE2QjMyRTQ1MTUwQ0Iw
<<
>>>
FW-RZB-01 (AVR10_CA2) $ DG5W6w==
FW-RZB-01 (AVR10_CA2) $ -----END CERTIFICATE-----"
Input is not a valid CA certificate.
FW-RZB-01 (AVR10_CA2) $ set range global
FW-RZB-01 (AVR10_CA2) $ next
The field ca is empty!
node_check_object fail! for ca
Attribute 'ca' MUST be set.
Command fail. Return code 1
FW-RZB-01 (ca) $ end


install and save finished status=FAILED
#6
chirag.rao
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/17 07:24:54
  • Status: offline
Re: Cannot sync VPN CA certificate from FMG to FGT [FIXED] 2018/10/22 23:42:45 (permalink)
0
Any version in a VM that worked for you? I tried many versions and I am facing the same issue. When I tried version 6, I was not even able to add a FortiGate device. I asked one of Fortinet trainers and he said he never got into such issues. Not sure why I am able to recreate the problem and others are not able to.
 
Team,
 
Please help.
 
Regards,
Chirag Rao
#7
s66jones
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/11 09:10:09
  • Status: offline
Re: Cannot sync VPN CA certificate from FMG to FGT [FIXED] 2019/06/11 09:11:54 (permalink)
0
Having the same issue. Has anyone solved? I am able to add the cert to the firewall directly, but cannot add it through FortiManager.
#8
Jump to:
© 2019 APG vNext Commercial Version 5.5