Skip to content

fortimanager_object_firewall_sslsshprofile – server_cert field fails with multiple certs in replace mode #92

New issue
New issue
Open
Open
fortimanager_object_firewall_sslsshprofile – server_cert field fails with multiple certs in replace mode#92
@DanielZhongFN

Description

@DanielZhongFN
DanielZhongFN
opened on Feb 11, 2026

Hello Fortinet team,

I am attempting to create an SSL/SSH inspection profile using Terraform with multiple certificates in replace mode.

My workflow is:

  • Upload certificates using fortimanager_system_certificate_local.
  • Create dynamic local certificate mappings using fortimanager_object_dynamic_certificate_local.
  • Create the SSL/SSH inspection profile (fortimanager_object_firewall_sslsshprofile).

According to the provider source code and your guidance, the server_cert field is defined as schema.TypeString. For multiple certificates, they must be combined into a comma‑separated string, e.g.:

server_cert = "Fortinet_CA_Untrusted,Fortinet_CA_SSL"
server_cert_mode = "replace"

I tried passing the comma‑separated & space-separated string using both:

**- Local certificate names (fortimanager_system_certificate_local.product_certs)

  • Dynamic local certificate mapping names (fortimanager_object_dynamic_certificate_local.product_dynamic_certs)**

In both cases, the profile creation fails with:
Error: Error creating ObjectFirewallSslSshProfile resource:
err -10: The data is invalid for selected url

Observed behavior:

  • Certificates and dynamic mappings are created successfully.
  • Only the SSL/SSH inspection profile fails to create.
  • GUI allows selecting dynamic local certs, but Terraform provider rejects both dynamic and local cert names.

Expected behavior:

  • The profile should accept a comma‑separated string of certificate names and create successfully in replace mode.

My Current code (the DPI related resource blocks) :

SSL/SSH Inspection profile certs

resource "fortimanager_system_certificate_local" "product_certs" {
for_each = var.enable_dpi ? var.products : {}

provider = fortimanager.fmgnonprod
certificate = [data.azurerm_key_vault_secret.ssl_full_chain_certs[each.key].value]
private_key = [data.azurerm_key_vault_secret.ssl_private_keys[each.key].value]
name = "${data.terraform_remote_state.fortigate.outputs.environment}_${each.key}"
comment = "Uploaded via Terraform automation"
}

Dynamic cert mapping

resource "fortimanager_object_dynamic_certificate_local" "product_dynamic_certs" {
for_each = var.enable_dpi ? var.products : {}
provider = fortimanager.fmgnonprod
scopetype = "adom"
adom = fortimanager_dvmdb_adom.adom.name

description = "Dynamic local cert for ${each.key}"
name = "${data.terraform_remote_state.fortigate.outputs.environment}_${each.key}_dynamic"

dynamic_sort_subtable = true

dynamic "dynamic_mapping" {
for_each = {
for idx, fgt in data.terraform_remote_state.fortigate.outputs.fortigate_vm_details :
idx => fgt
}
content {
local_cert = fortimanager_system_certificate_local.product_certs[each.key].name

_scope {
name = dynamic_mapping.value.vm_name
vdom = "root"
}
}
}
}

SSL/SSH Inspection profile

resource "fortimanager_object_firewall_sslsshprofile" "dpi_ssl_profile" {
count = var.enable_dpi ? 1 : 0
provider = fortimanager.fmgnonprod
scopetype = "adom"
adom = fortimanager_dvmdb_adom.adom.name

name = "${data.terraform_remote_state.fortigate.outputs.environment}_dpi_ssl_profile"
comment = "Custom SSL/SSH inspection profile for DPI with dynamic local certs"

server_cert_mode = "replace"
server_cert = join(" ", [for k, v in fortimanager_system_certificate_local.product_certs : v.name])
mapi_over_https = "disable"

ssl_anomalies_log = "enable"
ssl_handshake_log = "enable"
ssl_negotiation_log = "enable"
ssl_server_cert_log = "enable"
use_ssl_server = "disable"
whitelist = "disable"
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions