GUI access of Secondary Fortinet Stopped After Firmware Upgrade

Scenario:
Make: FortiGate, FortiNet
Model: FortiGate 400E, 100F, 60F, 240D Firewalls
Mode: Graphical User Interface [GUI]
Version: 7.4.3 or above
Description: In this article, we will discuss a stepwise method of how to resolve the issue of GUI or HTTP/HTTPS access of Secondary unit of HA Fortinet Firewall stop working after firmware upgrade to 7.4.3 or above.

Problem

It has been reported that after upgrading the firmware of the Fortinet Firewall to 7.4.3 or above, the GUI or HTTP/HTTPS access of Secondary Unit of Fortinet HA firewall stops working. GUI or HTTP/HTTPS access of the primary unit of HA Firewall works fine after the firmware upgrade to 7.4.3 or above.

Solution

To gain the HTTP/HTTPS or GUI access of the secondary unit of HA Fortinet firewalls again, follow the steps mentioned below

Step1: SSH onto Firewall
SSH onto the secondary unit of HA Fortinet firewall and login.

Step2: Check Crashlog
Check the crash log by executing the command as shown below.

edledge-fw # diag debug crashlog read

4: 2025-01-01 19:44:26 <00211> Node.JS restarted: (uncaught exception)
5: 2025-01-01 19:44:26 <00211> Error: error:05800074:x509 certificate routines::key values mismatch

Step3: Certificate Status
Run the CLI commands as shown below to check and see that it shows the result of the ‘Certificate file and private key file are mismatched‘.

edledge-fw # execute vpn certificate local verify Fortinet_GUI_Server
Certificate modulus: Modulus=DA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDADA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B
9477C78644C463DDA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B9477CB4E6173EAED37C0106593E9436B5B5D35D406D2EAB7189F0
6BADF243E6D4AE4B4A831B1C6C2EDA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B9477C789CA712AA90420DC38DA9B9B8A2259D9BD
ADDDD12CA7DBAE6505F9DDAB4B9477C81892E4A05A7C385CABD37C7A06B72D649D86DA850879AC2C3A20326DA9B9B8A2259D9BDADDDD12
CA7DBAE6505F9DDAB4B9477C5F128AD8B78B1B5B0E69479E2050A304D28B3CB28864B263D02A5C1E9B9B764F367F01D5342C817667414B
08E228FF9BC843266D1C22880718DB5693D4E2A2901443F518B0B577A7279A9B1E252DA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4
B9477CF10DF26869077634F8447CB1383BB55F2670877269519C26BD0FE7E5AA115A48BC26FFBF05812B900E2E6FE5E6795B7B18A17066
F18196AC291E78E21C814918BF42675F7CCB35D64C11F010ACF9BB4F47F07DC9A6DD1DA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4
B9477C4EEEB23A018AC7F4C07DF6CF1F0FD2F7BB8FE60B0514DA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B9477C29F9030D6FAA7
BEA5E9579AC9DCDA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B9477C13 
File update time: <span style="font-family: courier new,courier;">2025-01-01 19:44:26 
Private key modulus: Modulus=DA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDADA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B
9477C78644C463DDA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B9477CB4E6173EAED37C0106593E9436B5B5D35D406D2EAB7189F0
6BADF243E6D4AE4B4A831B1C6C2EDA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B9477C789CA712AA90420DC38DA9B9B8A2259D9BD
ADDDD12CA7DBAE6505F9DDAB4B9477C81892E4A05A7C385CABD37C7A06B72D649D86DA850879AC2C3A20326DA9B9B8A2259D9BDADDDD12
CA7DBAE6505F9DDAB4B9477C5F128AD8B78B1B5B0E69479E2050A304D28B3CB28864B263D02A5C1E9B9B764F367F01D5342C817667414B
08E228FF9BC843266D1C22880718DB5693D4E2A2901443F518B0B577A7279A9B1E252DA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4
B9477CF10DF26869077634F8447CB1383BB55F2670877269519C26BD0FE7E5AA115A48BC26FFBF05812B900E2E6FE5E6795B7B18A17066
F18196AC291E78E21C814918BF42675F7CCB35D64C11F010ACF9BB4F47F07DC9A6DD1DA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4
B9477C4EEEB23A018AC7F4C07DF6CF1F0FD2F7BB8FE60B0514DA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B9477C29F9030D6FAA7
BEA5E9579AC9DCDA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B9477C13 
File update time: 2025-01-01 19:44:26 
Certificate file and private key file are mismatched.

Step4: Default GUI Certificate
If you see the “Certificate file and private key file are mismatched” error then execute the command as shown below to install the default GUI certificate.

edledge-fw # execute vpn certificate local generate default-gui-mgmt-cert 
Are you sure to re-generate the default GUI admin-server certificate? 
Do you want to continue? (y/n)y 
Certificate generation started, Please check it in a while.
edledge-fw

Step5: Verify Status
Check the status of the certificate again to confirm if the mismatch issue has been resolved

edledge-fw # execute vpn certificate local verify Fortinet_GUI_Server

If you still see the same error “Certificate file and private key file are mismatched” try again after some time and mismatch error should have been gone as shown below

edledge-fw # execute vpn certificate local verify Fortinet_GUI_Server
Certificate modulus: Modulus=DA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDADA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B
9477C78644C463DDA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B9477CB4E6173EAED37C0106593E9436B5B5D35D406D2EAB7189F0
6BADF243E6D4AE4B4A831B1C6C2EDA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B9477C789CA712AA90420DC38DA9B9B8A2259D9BD
ADDDD12CA7DBAE6505F9DDAB4B9477C81892E4A05A7C385CABD37C7A06B72D649D86DA850879AC2C3A20326DA9B9B8A2259D9BDADDDD12
CA7DBAE6505F9DDAB4B9477C5F128AD8B78B1B5B0E69479E2050A304D28B3CB28864B263D02A5C1E9B9B764F367F01D5342C817667414B
08E228FF9BC843266D1C22880718DB5693D4E2A2901443F518B0B577A7279A9B1E252DA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4
B9477CF10DF26869077634F8447CB1383BB55F2670877269519C26BD0FE7E5AA115A48BC26FFBF05812B900E2E6FE5E6795B7B18A17066
F18196AC291E78E21C814918BF42675F7CCB35D64C11F010ACF9BB4F47F07DC9A6DD1DA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4
B9477C4EEEB23A018AC7F4C07DF6CF1F0FD2F7BB8FE60B0514DA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B9477C29F9030D6FAA7
BEA5E9579AC9DCDA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B9477C13 
File update time: 2025-01-01 19:44:26 
Private key modulus: Modulus=DA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDADA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B
9477C78644C463DDA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B9477CB4E6173EAED37C0106593E9436B5B5D35D406D2EAB8189F0
6BADF243E6D4AE4B4A831B1C7C2EDA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B9477C789CA712AA90420DC38DA9B9B8A2259D9BD
ADDDD12CA7DBAE6505F9DDAB4B9477C81892E4A05A7C385CABD38C7A06B72D649D86DA850879AC2C3A20326DA9B9B8A2259D9BDADDDD12
CA7DBAE6505F9DDAB4B9477C5F128AD8B78B1B5B0E69479E2050A304D28B3CB28864B263D02A5C1E9B9B764F367F01D5342C817667414B
08E228FF9BC843266D1C22880718DB5693D4E2A2901443F518B0B577A7279A9B1E252DA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4
B9477CF10DF26869077634F8447CB1383BB55F2670877269519C26BD0FE7E5AA115A48BC26FFBF05812B900E2E6FE5E6795B7B18A17066
F18196AC291E78E21C814918BF42675F7CCB35D64C11F010ACF9BB4F47F07DC9A6DD1DA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4
B9477C4EEEB23A018AC7F4C07DF6CF1F0FD2F7BB8FE60B0514DA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B9477C29F9030D6FAA7
BEA5E9579AC9DCDA9B9B8A2259D9BDADDDD12CA7DBAE6505F9DDAB4B9477C13 
File update time: 2025-01-01 19:44:26 
Certificate file and private key file are matched.

Once the certificate mismatch issue has been resolved, you could access the secondary firewall via GUI or HTTPS.

Other Important Topics

• How to Upgrade Downgrade Firmware of FortiGate Firewalls
• Zabbix SNMP Poll Failing with FortiGate HA Management Interface
• How to add FortiGate Firewalls in Zabbix over SNMP

Source: Knowledge Base, Lab, FortiGate

EA00174