This article describes the troubleshooting steps related to ACME certificate renewal /provision issues due to HA-direct enabled.
Scope : FortiOS 7.0 and above.
During provisioning or at the time of renewal of Acme cert FortiGate shows an error message 'Unsuccessful in contacting ACME server at https://acme-v02.api.letsencrypt.org/directory' which indicates that FortiGate is not able to contact the Acme server for renewal /provision.
To confirm this issue , run the following commands in FortiGate CLI:
# get vpn certificate local details Test_acme
Staging status: Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>.
If this problem persists, check the network connectivity from the Apache server to the ACME server.
# diagnose sys acme status-full " Certificate's CN domain"
Example : # diagnose sys acme status-full example.fortinet.com
"status-description": "The timeout specified has expired",
"detail": "Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>.
If this problem persists, check the network connectivity from theApache server to the ACME server.
Check network reachability to Acme server with a ping test from FortiGate's CLI:
FortiGate-60F (root) # exec ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (18.104.22.168): 56 data bytes
64 bytes from 22.214.171.124: icmp_seq=0 ttl=59 time=17.2 ms
64 bytes from 126.96.36.199: icmp_seq=1 ttl=59 time=16.2 ms
If the layer 3 reachability to the Acme server is good as its shown in the above test, confirm which interface is used for listening to the ACME challenges by FortiGate.
Run a sniffer for Acme IP 188.8.131.52 ( confirm the IP from the Ping test done earlier).
# dia sni packet any " host 184.108.40.206 " 4 0 l <----- Letter L.
022-12-23 11:31:50.643839 wan1 out x.x.x.x.7937 -> 220.127.116.11.443: psh 175404546 ack 2557588747
FortiGate should communicate with Acme servers on the same Internet facing Interface that's being selected under Acme configuration on FortiGate.
FortiGate-60F # show sys acme
If no traffic for the ACME server is being sent out via the interface that’s being selected under # config system acme, this would be related to Ha-direct feature being used under the # config sys ha.
# config system ha
set group-name "HA-test"
set mode a-p
set password ENC
set hbdev "port3" 0
set ha-mgmt-status enable
set interface "port2"
set gateway 10.5.63.254
set override disable
set ha-direct enable <-----
If the ha-direct option is enabled: FortiGate will use the HA reserved management interface for Acme renewal and provisioning.
As the interface selected under # config system acme is different than the HA reserved management interface, Acme communication will not happen.
HA management interface is a reserved interface and cannot be selected for ACME services.
FortiGate selects HA reserved management interface as an outgoing interface for the feature listed below if HA -direct is enabled:
- Remote logging (including syslog, FortiAnalyzer, and FortiCloud).
- SNMP queries and traps.
- Remote authentication and certificate verification.
- Communication with FortiSandbox.
Solution: Disable the Ha-direct option under # config sys ha