Description:

When attempting to renew the Let's Encrypt (ACME) SSL certificate on FortiClient EMS, the following error may appear in the logs:

2025-04-04 08:17:52,734 ERROR [PID:88634] [TID:139912824284736] [RID:f034cd6751] errors Traceback (most recent call last):
File "fcm/decorators/errors.py", line 29, in handle_errors
.
fcm.models.acme.acme.Acme.Error: A.C.M.E. Certificate renewal failed. Refer to logs for further information (/var/log/forticlientems/fcm).

Root Cause:

Let's Encrypt ACME protocol mandates that FortiClient EMS should have:

• Port 80 (HTTP) and Port 443 (HTTPS) are open to the internet (both inbound and outbound).
• The EMS Apache service should have the correct binding on port 443.
• Either port blocked or port 443 being used by some other service will cause the certificate renewal process to fail.

Solution:

• Verify Ports 80 and 443 Are Open:

Make sure to open TCP ports 80 and 443 on incoming and outgoing communication via the firewall and ISP.

• Execute the following command on the EMS server to check whether port 443 is bound correctly:

sudo netstat -tulnp | grep :443

• If a different application occupies port 443, it has to be halted or reset.
• Restarting the Apache service can reset bindings and temporarily free up port 443:

sudo systemctl restart fcmapache

• Having verified the port availability and Apache service restart, attempt to renew the Let's Encrypt certificate once more through the EMS interface.

Additional Information:

• EMS keeps ACME-related logs in /var/log/forticlientems/fcm/.
• Make sure that the system time on the EMS server is properly synchronized (e.g., via NTP) to prevent certificate validation issues.