Skip to main content

202003 - Fortinet TLS/SSL Certificate Error

Agent error code #202003 indicates that the agent could not establish a secure connection to the Fortinet device because of a TLS/SSL certificate problem. The connection was rejected before any authentication or API request could take place.

This error is distinct from connection failures (#202000), which indicate the device is not reachable at all. Error #202003 means the device is reachable but the TLS handshake failed due to a certificate issue.

Common causes include:

  • The Fortinet device is using a self-signed certificate and the Insecure option is not enabled in Knocknoc
  • The device's TLS certificate has expired
  • The certificate's hostname does not match the hostname configured in Knocknoc
  • The certificate was issued by a private or internal CA that is not trusted by the agent's operating system
  • The device is using an outdated TLS version or cipher suite

Steps to Resolve

Enable the Insecure Option (Self-Signed Certificates)

If the Fortinet device uses a self-signed certificate or a certificate from an untrusted CA:

  1. In the Knocknoc admin interface, navigate to the backend configuration for the affected Fortinet device
  2. Enable the Insecure option
  3. Save the configuration

This tells the agent to skip certificate verification. This is common in lab environments and internal deployments where FortiGate or FortiManager uses the factory-default self-signed certificate.

Verify the Certificate (Trusted CA)

If you expect the device to have a valid certificate from a trusted CA:

  1. Check that the certificate has not expired — view the certificate details in a browser by navigating to the device's management URL
  2. Verify the certificate's Common Name (CN) or Subject Alternative Name (SAN) matches the hostname configured in Knocknoc
  3. If the certificate was recently renewed or replaced, ensure the full certificate chain (including intermediate certificates) is installed on the device

Install the CA Certificate on the Agent Host

If the device uses a certificate from an internal or private CA:

  1. Install the CA's root certificate into the agent host's trusted certificate store
  2. Restart the Knocknoc agent
  3. Alternatively, enable the Insecure option as a simpler workaround

Still Having Issues?

We can help you out, contact us at support@knocknoc.io.

Back to top