FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 205117

This article describes that after creating an ACME certificate from FortiGate, the browser shows not secure.


After creating the server certificates for secure administrator login to the FortiGate the browser will show a not secure page.


The browser doesn’t trust the certificate issuer.

Firefox : sec_error_unknown_issuer


On the firewall, it is possible to see staging.






Remove the staging from the certificate:


FortiGate-VM # config vpn  certificate local

FortiGate-VM(local) edit test

# config vpn certificate loca

    edit "test"

        set password XXX

        set comments "Renewed with ACME on Wed Oct 27 17:13:11 2021 (UTC)"

        set range global

        set enroll-protocol acme2

        set acme-ca-url  <<<< Remove the staging

        set acme-domain ""

        set acme-email ""




The correct URL looks like: 


This is because the certificate which is creating uses Let’s Encrypt staging (test server) so the cert created for the domain has been issued by a fake CA.

This Let’s Encrypt staging server should be used just to test that the client is working fine and can generate the challenges, certificates, but to create a valid cert, it is necessary to use the right server in letsencrypt-auto command.


For staging is:




For production is:




If a server, is not specified, it defaults to production and to use staging, specify the server for staging or just use one of these switches (--test-cert or --staging).


Now check the connection, if the issue is still there create a ticket through the Fortinet support portal