set fortios_vpncertificate_local as admin-server-cert: Input value is invalid

[co-tpaul]

Hi,
I'm trying to deploy a local certificate to a Fortigate. The apply does work and the certificate is created, but an error appears when trying to set the certificate as admin-server-cert in the system global settings.

FortiOS 7.0.12
fortinetdev/fortios v1.18.0

1. create the certificate with terraform

resource "fortios_vpncertificate_local" "cert_wildcard" {
  name        = var.certificate_name
  comments    = "tf_managed"
  password    = ""
  private_key = var.secrets["system_cert_key"]
  certificate = var.secrets["system_cert_pem"]
}

The apply runs through, the certificate is created successfully. The details are correct and the certificate is valid.

2. set the certificate as admin-server-cert

Setting the admin-server-cert via cli fails. The certificate isn't even listed when using the question mark for completion. Manually writing out the set command leads to the following error:

fwedd863 # show vpn certificate local wcard
config vpn certificate local
    edit "wcard"
        set password ENC xVTffqdRVFMA9gz.....
        set comments "tf_managed"
    next
end

fwedd863 # config system global 

fwedd863 (global) # set admin-server-cert 
Available    Certificates:
self-sign	local
Fortinet_Factory	local
Fortinet_Factory_Backup	local

fwedd863 (global) # set admin-server-cert wcard
Invalid certificate name wcard
node_check_object fail! for admin-server-cert wcard

value parse error before 'wcard'
Command fail. Return code -651

When using the GUI to change the https server certificate, it appears in the drop-down menu but this error message appears in a red banner: "Administration settings failed to save : Input value is invalid."

3. using GUI / CLI to upload certificate

When using the GUI or CLI to create the certificate it is also loaded successfully. The output of "show full vpn certificate local wcard" is identical when creating the certificate with terraform. Also the output of api/v2/cmdb/vpn.certificate/local/wcard is identical for the terraform and manually created certificate.

The difference is I can set the GUI/CLI created certificate as admin-server-cert without a problem.

4. import manual certificate to terraform state

After importing the state of the manually created certificate the following changes are made on the next apply:

 # module.management.fortios_vpncertificate_local.cert_wildcard will be updated in-place
  ~ resource "fortios_vpncertificate_local" "cert_wildcard" {
      + acme_domain                  = ""
      + acme_email                   = ""
      + ca_identifier                = ""
      # Warning: this attribute value will be marked as sensitive and will not
      # display in UI output after applying this change.
      ~ certificate                  = (sensitive value)
      + cmp_path                     = ""
      + cmp_server                   = ""
      + cmp_server_cert              = ""
      + comments                     = "tf_managed"
      + csr                          = ""
        id                           = "wcard"
      + ike_localid                  = ""
        name                         = "wcard"
      + password                     = (sensitive value)
      # Warning: this attribute value will be marked as sensitive and will not
      # display in UI output after applying this change.
      ~ private_key                  = (sensitive value)
      + private_key_retain           = ""
      + scep_url                     = ""
      + state                        = ""
        # (13 unchanged attributes hidden)
    }

After applying those changes the certificate still works and can be used as admin-server-cert.

Summary:
When creating the local certificate with terraform, setting it as admin-server-cert fails. Manually creating the certificate and importing the state works.
I assume that the initial object is created differently through terraform as opposed to the GUI/CLI import. There is something missing or invalid with the terraform object, so it can't be used as admin-server-cert.

Please let me know if you need more information or if there is something wrong with the configuration.

[MaxxLiu22]

Hi @co-tpaul ,

Thank you for raising this issue and sorry for the late reply. There is some issue around resource fortios_vpncertificate_local,
I suggest using fortios_json_generic_api as a work around solution, that can be created and applied without any issue example, let me know if that doesn't work.

Thanks,
Maxx