Alex Debugs!

FortiClient EMS ZTNA: No Matching Rule Found

2026/07/06 — alex — Fortinet Cert LetsEncrypt

Problem: Users report that the FortiClient wont let them connect to ZTNA services

Discussion: If you are using a Let's Encrypt certificate for your FortiClient EMS server, you might have recently seen your
FortiGate's Fabric Connector drop offline with the error EMS certificate not trusted. This breaks ZTNA proxy-policy matching because
the FortiGate can no longer sync endpoint posture tags from EMS.

Here is why this is happening and how to get your ZTNA deployment back online.

The Let's Encrypt Gen Y Shift

In early 2026, Let's Encrypt migrated to their new "Generation Y" certificate hierarchy. Depending on your key type, Let's Encrypt now issues certificates from entirely new root authorities:

  • For ECDSA keys: The chain is now Your Cert -> YE1 / YE2 -> ISRG Root YE.
  • For RSA keys: The chain is now Your Cert -> YR1 / YR2 -> ISRG Root YR.

Because Root YE and Root YR are new, they do not exist yet in many default operating system trust stores, including the firmware of current FortiOS releases.

The Cross-Signed Bridge Problem

To maintain compatibility for older devices, Let's Encrypt provides a cross-signed "bridge" certificate. For example, Root YE is cross-signed by the older, widely trusted ISRG Root X2. Modern web browsers easily trace this path back to X2 and trust the connection.

However, the FortiOS certificate path-building engine is stricter. When it evaluates the longer chain and sees an unfamiliar intermediate explicitly named Root YE, it often fails to traverse the bridge to the trusted X2 root. It simply drops the TLS connection to EMS, marking the clients as offline.

The Fix: Manually Trusting the New Roots

Step-by-step fix:

  1. Download the self-signed ISRG Root YE (or ISRG Root YR, depending on your cert) directly from the Let's Encrypt chain of trust page. https://letsencrypt.org/certificates/
  2. In the FortiGate GUI, navigate to System -> Certificates.
  3. Import the downloaded root certificate as an CA Certificate.
  4. Navigate to Security Fabric -> Fabric Connectors and refresh your EMS connection.

By placing Root YE directly into the FortiGate's local trust store, you turn it into a primary Trust Anchor. The FortiGate stops checking the rest of the chain because it reached a root it explicitly trusts, bypassing the cross-signed bridge issue entirely.