|
During provisioning or at the time of renewal of Acme cert FortiGate shows an error message 'Unsuccessful in contacting ACME server at https://acme-v02.api.letsencrypt.org/directory' which indicates that FortiGate is not able to contact the Acme server for renewal /provision.
To confirm this issue , run the following commands in FortiGate CLI:
# get vpn certificate local details Test_acme
ACME details:
Status: Unprovisioned
Staging status: Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>.
If this problem persists, check the network connectivity from the Apache server to the ACME server.
# diagnose sys acme status-full " Certificate's CN domain"
Example : # diagnose sys acme status-full example.fortinet.com
"status": 70007,
"status-description": "The timeout specified has expired",
"detail": "Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>.
If this problem persists, check the network connectivity from theApache server to the ACME server.
Troubleshooting steps:
Check network reachability to Acme server with a ping test from FortiGate's CLI:
FortiGate-60F (root) # exec ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248): 56 data bytes
64 bytes from 172.65.32.248: icmp_seq=0 ttl=59 time=17.2 ms
64 bytes from 172.65.32.248: icmp_seq=1 ttl=59 time=16.2 ms
If the layer 3 reachability to the Acme server is good as its shown in the above test, confirm which interface is used for listening to the ACME challenges by FortiGate.
Run a sniffer for Acme IP 172.65.32.248 ( confirm the IP from the Ping test done earlier).
# dia sni packet any " host 172.65.32.248 " 4 0 l <----- Letter L.
022-12-23 11:31:50.643839 wan1 out x.x.x.x.7937 -> 172.65.32.248.443: psh 175404546 ack 2557588747
2022-12-23 11:31:50.644143 wan1 out x.x.x.x.7937 -> 172.65.32.248.443: fin 175404570 ack 2557588747
FortiGate should communicate with Acme servers on the same Internet facing Interface that's being selected under Acme configuration on FortiGate.
FortiGate-60F # show sys acme
config system acme
set interface "wan1"
end
If no traffic for the ACME server is being sent out via the interface that’s being selected under # config system acme, this would be related to Ha-direct feature being used under the # config sys ha.
# config system ha
set group-name "HA-test"
set mode a-p
set password ENC
set hbdev "port3" 0
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port2"
set gateway 10.5.63.254
next
end
set override disable
set ha-direct enable <-----
end
If the ha-direct option is enabled: FortiGate will use the HA reserved management interface for Acme renewal and provisioning.
As the interface selected under # config system acme is different than the HA reserved management interface, Acme communication will not happen.
Note.
HA management interface is a reserved interface and cannot be selected for ACME services.
FortiGate selects HA reserved management interface as an outgoing interface for the feature listed below if HA -direct is enabled:
- Remote logging (including syslog, FortiAnalyzer, and FortiCloud).
- SNMP queries and traps.
- Remote authentication and certificate verification.
- Communication with FortiSandbox.
Solution: Disable the Ha-direct option under # config sys ha
|
