FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Lovepreet_Dhillon
Article Id 240774
Description

This article describes the troubleshooting steps related to ACME certificate renewal /provision issues due to HA-direct enabled.

Scope

Scope : FortiOS  7.0 and above.

Solution

During provisioning or at the time of renewal of Acme cert FortiGate shows an error message 'Unsuccessful in contacting ACME server at https://acme-v02.api.letsencrypt.org/directory' which indicates that FortiGate is not able to contact the Acme server for renewal /provision.

 

To confirm this issue , run the following commands in FortiGate CLI:

 

# get vpn certificate local details  Test_acme

ACME details:

Status: Unprovisioned

Staging status: Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>.

 

If this problem persists, check the network connectivity from the Apache server to the ACME server.

 

# diagnose sys acme status-full " Certificate's CN domain"

Example : # diagnose sys acme status-full example.fortinet.com

"status": 70007,

"status-description": "The timeout specified has expired",

"detail": "Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>.

 

If this problem persists, check the network connectivity from theApache server to the ACME server.

 

Troubleshooting steps:

 

Check network reachability to Acme server with a ping test from FortiGate's CLI:

 

FortiGate-60F (root) # exec ping acme-v02.api.letsencrypt.org

PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248): 56 data bytes

64 bytes from 172.65.32.248: icmp_seq=0 ttl=59 time=17.2 ms

64 bytes from 172.65.32.248: icmp_seq=1 ttl=59 time=16.2 ms

 

If the layer 3 reachability to the Acme server is good as its shown in the above test, confirm which interface is used for listening to the ACME challenges by FortiGate.

Run a sniffer for Acme IP  172.65.32.248 ( confirm the IP from the Ping test done earlier).

 

# dia sni packet any " host 172.65.32.248  " 4 0 l <----- Letter L.

022-12-23 11:31:50.643839 wan1 out x.x.x.x.7937 -> 172.65.32.248.443: psh 175404546 ack 2557588747
2022-12-23 11:31:50.644143 wan1 out x.x.x.x.7937 -> 172.65.32.248.443: fin 175404570 ack 2557588747

 

FortiGate should communicate with Acme servers on the same Internet facing Interface that's being selected under Acme configuration on FortiGate.

 

FortiGate-60F # show sys acme
config system acme
    set interface "wan1"
end

 

If no traffic for the ACME server is being sent out via the interface that’s being selected under  # config system acme, this would be related to  Ha-direct feature being used under the # config sys ha.

 

# config system ha

    set group-name "HA-test"

    set mode a-p

    set password ENC

    set hbdev "port3" 0

    set ha-mgmt-status enable

    config ha-mgmt-interfaces

        edit 1

            set interface "port2"

            set gateway 10.5.63.254

        next

    end

        set override disable

        set ha-direct enable <-----

    end

 

If the ha-direct option is enabled: FortiGate will use the HA reserved management interface for Acme renewal and provisioning.

As the interface selected under # config system acme is different than the HA reserved management interface,  Acme communication will not happen.

 

Note.

HA management interface is a reserved interface and cannot be selected for ACME services.

 

FortiGate selects HA reserved management interface as an outgoing interface for the feature listed below if HA -direct is enabled:

- Remote logging (including syslog, FortiAnalyzer, and FortiCloud).

- SNMP queries and traps.

- Remote authentication and certificate verification.

- Communication with FortiSandbox.

 

Solution: Disable the Ha-direct option under # config sys ha