: Versions between 7.2.0–7.2.8 and 7.4.0–7.4.2 have known bugs regarding certificate replacement; upgrading to 7.4.3 or higher is recommended . 3. Troubleshooting Steps
On FortiOS 7.x, you can generate a free Let's Encrypt certificate directly from the GUI. Ensure the use this new certificate. 3. Match the Hostname in Certificate Forticlient X509 Verify Certificate Failed
This is subtle. You may have a valid certificate from a public CA, but the FortiGate doesn’t send the intermediate. : Versions between 7
| Error Text in Logs | Meaning | Quick Fix | | :--- | :--- | :--- | | X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN | Self-signed cert used. | Trust cert manually or switch to public CA. | | X509_V_ERR_CERT_HAS_EXPIRED | Certificate past expiration date. | Renew certificate on FortiGate. | | X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT | The server cert itself is self-signed. | Same as above. | | X509_V_ERR_HOSTNAME_MISMATCH | URL does not match CN/SAN. | Use correct FQDN or regenerate cert. | | X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY | Intermediate CA missing. | Import full chain on FortiGate. | | X509_V_ERR_CERT_UNTRUSTED | Root CA not in client trust store. | Import root CA to client machine. | Ensure the use this new certificate
© BirdLife Schweiz/Suisse/Svizzera