FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 240774

This article describes the troubleshooting steps related to ACME certificate renewal /provision issues due to HA-direct enabled.


Scope : FortiOS  7.0 and above.


During provisioning or at the time of renewal of Acme cert FortiGate shows an error message 'Unsuccessful in contacting ACME server at' which indicates that FortiGate is not able to contact the Acme server for renewal /provision.


To confirm this issue , run the following commands in FortiGate CLI:


# get vpn certificate local details  Test_acme

ACME details:

Status: Unprovisioned

Staging status: Unsuccessful in contacting ACME server at <>.


If this problem persists, check the network connectivity from the Apache server to the ACME server.


# diagnose sys acme status-full " Certificate's CN domain"

Example : # diagnose sys acme status-full

"status": 70007,

"status-description": "The timeout specified has expired",

"detail": "Unsuccessful in contacting ACME server at <>.


If this problem persists, check the network connectivity from theApache server to the ACME server.


Troubleshooting steps:


Check network reachability to Acme server with a ping test from FortiGate's CLI:


FortiGate-60F (root) # exec ping

PING ( 56 data bytes

64 bytes from icmp_seq=0 ttl=59 time=17.2 ms

64 bytes from icmp_seq=1 ttl=59 time=16.2 ms


If the layer 3 reachability to the Acme server is good as its shown in the above test, confirm which interface is used for listening to the ACME challenges by FortiGate.

Run a sniffer for Acme IP ( confirm the IP from the Ping test done earlier).


# dia sni packet any " host  " 4 0 l <----- Letter L.

022-12-23 11:31:50.643839 wan1 out x.x.x.x.7937 -> psh 175404546 ack 2557588747
2022-12-23 11:31:50.644143 wan1 out x.x.x.x.7937 -> fin 175404570 ack 2557588747


FortiGate should communicate with Acme servers on the same Internet facing Interface that's being selected under Acme configuration on FortiGate.


FortiGate-60F # show sys acme
config system acme
    set interface "wan1"


If no traffic for the ACME server is being sent out via the interface that’s being selected under  # config system acme, this would be related to  Ha-direct feature being used under the # config sys ha.


# config system ha

    set group-name "HA-test"

    set mode a-p

    set password ENC

    set hbdev "port3" 0

    set ha-mgmt-status enable

    config ha-mgmt-interfaces

        edit 1

            set interface "port2"

            set gateway



        set override disable

        set ha-direct enable <-----



If the ha-direct option is enabled: FortiGate will use the HA reserved management interface for Acme renewal and provisioning.

As the interface selected under # config system acme is different than the HA reserved management interface,  Acme communication will not happen.



HA management interface is a reserved interface and cannot be selected for ACME services.


FortiGate selects HA reserved management interface as an outgoing interface for the feature listed below if HA -direct is enabled:

- Remote logging (including syslog, FortiAnalyzer, and FortiCloud).

- SNMP queries and traps.

- Remote authentication and certificate verification.

- Communication with FortiSandbox.


Solution: Disable the Ha-direct option under # config sys ha