|
When configuring a new ACME certificate on a FortiGate HA Cluster on an affected firmware version, the email field in ACME account configuration is incorrectly empty. Since this is not valid configuration, the secondary fails to apply it, causing the HA sync issue.
Since this is a result of invalid configuration not being applied to the secondary, neither recalculating the HA checksums nor restarting the synchronization process restores the sync status to 'in-sync'.
execute ha synchronize start
diagnose sys ha checksum recalculate
The 'email' attribute sent to the secondary unit is an empty string and is non-configurable, which results in the HA cluster going out of sync.
Manual configuration of the missing entries under config system acme and config accounts on the secondary unit is not possible, as these settings are automatically generated on the primary unit.
config system acme
set interface "port1"
config accounts
edit "ACME-.letsencrypt.org-0000"
set status "valid"
set ca_url "https://acme-v02.api.letsencrypt.org/directory"
next
end
end
This matches known issue 1170282 for FortiOS v7.2.11 and v7.4.8, listed in FortiOS v7.4.8 Release Notes.
Workaround:
Restore the missing configuration on the primary unit in HA cluster following the steps below.
- Identify the email address used in the ACME-provisioned local certificate by running the command:
show vpn certificate local | grep -f acme-email
config vpn certificate local
edit "ACME_VPN_CERT"
set comments "<>"
set enroll-protocol acme2
set acme-domain "vpn.fortigate1.example.com"
set acme-email "email@example.com" <---
next
end
- Note the acme account details including the decrypted private key:
get system acme acc-details
== [ ACME-.letsencrypt.org-0000 ]
ACME CA URL: https://acme-v02.api.letsencrypt.org/directory
Account URL: https://acme-v02.api.letsencrypt.org/acme/acct/123456789
Status: valid
Email: <-- this will be replaced with email retrieved from acme-email
Private Key: -----BEGIN PRIVATE KEY----- [...]
- Manually update account info with added email address as it appears in the local cert config
diagnose sys acme add-account "ACME-.letsencrypt.org-0000" "https://acme-v02.api.letsencrypt.org/acme/acct/123456789" "https://acme-v02.api.letsencrypt.org/directory" "valid" "email@example.com" "-----BEGIN PRIVATE KEY----- [...] -----END PRIVATE KEY-----"
Warning! Manually adding erroneous account information can cause the ACME client to work improperly. Do you want to continue? (y/n) Y
Ensure the details provided to the add-account command match intended configuration, including the email address found in the acme-email field of the local certificate.
- Restart the FortiOS ACME daemon using the following command.
diagnose sys acme restart
When valid ACME account details are added, this applies the valid ACME configuration, allowing HA configuration to sync to primary and enabling ACME certificate renewal on schedule.
Related article:
Troubleshooting Tip: How to fix an HA out of sync issue after importing an ACME certificate from Let...
|
