Skip to main content
sgursimran
Staff
sgursimran
Staff
August 3, 2025

Technical Tip: ACME certificate provisioning on FortiGate HA cluster causes configuration sync issues

  • August 3, 2025
  • 0 replies
  • 3512 views
Description

This article describes an issue where provisioning an ACME certificate on a FortiGate HA cluster using the ACME protocol causes the cluster to go out of sync.

Scope

FortiOS v7.2.11, v7.2.12, v7.4.8.
Solution

When configuring a new ACME certificate on a FortiGate HA Cluster on an affected firmware version, the email field in the ACME account configuration is incorrectly empty. Since this is not a valid configuration, the secondary fails to apply it, causing the HA sync issue.

 

Since this is a result of invalid configuration not being applied to the secondary, neither recalculating the HA checksums nor restarting the synchronization process restores the sync status to 'in-sync'.

execute ha synchronize start
diagnose sys ha checksum recalculate

The 'email' attribute sent to the secondary unit is an empty string and is non-configurable, which results in the HA cluster going out of sync.

 

Manual configuration of the missing entries under config system acme and config accounts on the secondary unit is not possible, as these settings are automatically generated on the primary unit.

 

config system acme
    set interface "port1"
        config accounts
            edit "ACME-.letsencrypt.org-0000"
                set status "valid"
                set ca_url "https://acme-v02.api.letsencrypt.org/directory" 
            next
        end
end

 

In the output below, the email address used in the ACME-provisioned local certificate is not seen.

get system acme acc-details
== [ ACME-.letsencrypt.org-0000 ]
ACME CA URL: https://acme-v02.api.letsencrypt.org/directory
Account URL: https://acme-v02.api.letsencrypt.org/acme/acct/*******
Status: valid
Email:
Private Key:-----BEGIN PRIVATE KEY-----
.
.
-----END PRIVATE KEY-----

 

This matches a known issue reported under bug 1170282 for FortiOS v7.2.11, v7.2.12, and v7.4.8, listed in FortiOS v7.4.8 Release Notes.


This issue has been resolved in:
v7.2.14 (no estimated release date as of March 20 2026)
v7.4.9 (available to download from the Fortinet Support portal).
These timelines for firmware release are estimated and may be subject to change.

Workaround:

Restore the missing configuration on the primary unit in the HA cluster following the steps below.

 

  1. Identify the email address used in the ACME-provisioned local certificate by running the command:


show vpn certificate local | grep -f acme-email

config vpn certificate local
    edit "ACME_VPN_CERT"
        set comments "<>"
        set enroll-protocol acme2
        set acme-domain "vpn.fortigate1.example.com"
        set acme-email "email@example.com" <---
      next
end

 

  1. Note the Acme account details, including the decrypted private key:

 

get system acme acc-details

== [ ACME-.letsencrypt.org-0000 ]
        ACME CA URL: https://acme-v02.api.letsencrypt.org/directory
        Account URL: https://acme-v02.api.letsencrypt.org/acme/acct/123456789
        Status: valid
        Email:        <--   this will be replaced with email retrieved from acme-email
        Private Key: -----BEGIN PRIVATE KEY----- [...]

 

  1. Manually update account info with the added email address as it appears in the local cert config

 

diagnose sys acme add-account "ACME-.letsencrypt.org-0000" "https://acme-v02.api.letsencrypt.org/acme/acct/123456789" "https://acme-v02.api.letsencrypt.org/directory" "valid" "email@example.com" "-----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY-----"

Warning! Manually adding erroneous account information can cause the ACME client to work improperly. Do you want to continue? (y/n) Y

 

Ensure the details provided to the add-account command match the intended configuration, including the email address found in the acme-email field of the local certificate.

Note: If multiple ACME account entries are displayed in the output of get system acme acc-details, ensure that the account information is manually updated for each account.

 

diagnose sys acme add-account "ACME-.letsencrypt.org-0001" "https://acme-v02.api.letsencrypt.org/acme/acct/012345678" "https://acme-v02.api.letsencrypt.org/directory" "valid" "email@example.com" "-----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY-----"

 

  1. Restart the FortiOS ACME daemon using the following command.

 

diagnose sys acme restart

 

When valid ACME account details are added, this applies the valid ACME configuration, allowing HA configuration to sync to the primary and enabling ACME certificate renewal on schedule. This can be verified using the below CLI command.

get system acme acc-details
== [ ACME-.letsencrypt.org-0000 ]
ACME CA URL: https://acme-v02.api.letsencrypt.org/directory
Account URL: https://acme-v02.api.letsencrypt.org/acme/acct/123456789
Status: valid
Email: email@example.com  >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

 

Related article:

Troubleshooting Tip: How to fix an HA out of sync issue after importing an ACME certificate from Let's Encrypt 
      Terms & ConditionsAccessibility statement