Skip to main content
andrejwknd
andrejwknd
New Member
September 9, 2025
Question

Lets Encrypt cerficiates aren't created properly

  • September 9, 2025
  • 6 replies
  • 1730 views

Hi,

I'm having issues generating Let's Encrypt certificates on our FortiGate. We have a connection to Let's Encrypts ACME server, DNS was also checked. Our subdomain resolves to the correct IP address. FortiGate also says that the renewal was successful, however the certificate cannot be used in any service (we are generating a cert for SSL-VPN). When you try to view the details of the cert this is what you get:

get vpn certificate local details SSLVPN 

== [ SSLVPN ] ACME details: Status: Unprovisioned 
Staging status: The certificate for the managed domain has been renewed successfully and can be used (valid since Mon, 08 Sep 2025 12:32:13 GMT). A graceful server restart now is recommended.

We also tried restarting Fortigate, no luck.

How can we troubleshoot this ?

Thank you in advance!

6 replies

AEK
SuperUser
AEK
SuperUser
September 9, 2025

Hi Andre

What is the certificate status on the WebUI? Is it valid or pending?

And what do you see as details when you double-click on it?

AEK
andrejwknd
andrejwkndAuthor
New Member
September 9, 2025

Hi, the status is unknown, and there are no details when I double click on it.

 

andrejwknd
andrejwkndAuthor
New Member
September 9, 2025

Hi, the status is unknown, and there are no details when I double click on it.

AEK
SuperUser
AEK
SuperUser
September 9, 2025

Did you follow this guide?

https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/822087/acme-certificate-support

Also did you open ports 80 and 443 on the WAN interface?

Did you disable redirect http to https?

Did you disable https-redirect in "config vpn ssl settings"?

AEK
andrejwknd
andrejwkndAuthor
New Member
September 9, 2025

I did try that, didn't help. Is there anything else that I could do to troubleshoot ?

AEK
SuperUser
AEK
SuperUser
September 10, 2025

Try debug it as described in this tech tip then share the output.

https://community.fortinet.com/t5/FortiWeb/Troubleshooting-Tip-Let-s-Encrypt-SSL-troubleshooting/ta-p/227116

AEK
andrejwknd
andrejwkndAuthor
New Member
September 11, 2025

Hi, I can't debug it this  way because the command 

diagnose debug application acmed 7

doesn't work. I tried listing out my applications with: 

diagnose debug application ?

and I don't see anything resembling acme or acmed.

The version of my fortigate is: FortiGate-100E v7.2.6,build1575,230926 (GA.F)

adamsmith12
adamsmith12
New Member
September 16, 2025

It looks like the FortiGate is successfully reaching Let’s Encrypt and completing the ACME challenge, but the certificate isn’t being properly applied to services like SSL-VPN. This can sometimes happen if the certificate isn’t set as the default for the VPN interface, or if FortiGate generates a “dummy” cert when the key binding fails. I’d recommend checking whether the certificate is fully imported into Local Certificates with a private key and then reassigning it to the SSL-VPN settings. https://community.fortinet.com/t5/Support-Forum/Lets-Encrypt-Learn more-cerficiates-aren-t-created-properly/td-p/410158

andrejwknd
andrejwkndAuthor
New Member
September 17, 2025

Hi Adam! I tried opening the link you sent me however it seems that it is not working. Could you maybe resend me the link.

carlbidwell
carlbidwell
New Member
September 17, 2025

I had the same issue before, in my case it turned out to be a DNS problem. Double-check your FortiGate’s DNS settings and make sure outbound HTTP/HTTPS is allowed, that fixed it for me.

andrejwknd
andrejwkndAuthor
New Member
September 17, 2025

Hi! Thank you for the response. I tried using the default FortiGate DNS servers, and ofcourse the standard Google/Cloudflare servers. Seems that DNS is working. How would i check outbound HTTP/HTTPS ?

Terms & ConditionsAccessibility statement