This article describes the troubleshooting steps related to ACME certificate renewal /provision issues due to HA-direct enabled.
Scope : FortiOS 7.0 and above.
During provisioning or at the time of renewal of Acme cert FortiGate shows an error message 'Unsuccessful in contacting ACME server at https://acme-v02.api.letsencrypt.org/directory' which indicates that FortiGate is not able to contact the Acme server for renewal /provision.
To confirm this issue , run the following commands in FortiGate CLI:
# get vpn certificate local details Test_acme
Staging status: Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>.
If this problem persists, check the network connectivity from the Apache server to the ACME server.
# diagnose sys acme status-full " Certificate's CN domain"
Example : # diagnose sys acme status-full example.fortinet.com
"status-description": "The timeout specified has expired",
"detail": "Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>.
If this problem persists, check the network connectivity from theApache server to the ACME server.
Check network reachability to Acme server with a ping test from FortiGate's CLI:
FortiGate-60F (root) # exec ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (184.108.40.206): 56 data bytes
64 bytes from 220.127.116.11: icmp_seq=0 ttl=59 time=17.2 ms
64 bytes from 18.104.22.168: icmp_seq=1 ttl=59 time=16.2 ms
If the layer 3 reachability to the Acme server is good as its shown in the above test, confirm which interface is used for listening to the ACME challenges by FortiGate.
Run a sniffer for Acme IP 22.214.171.124 ( confirm the IP from the Ping test done earlier).
# dia sni packet any " host 126.96.36.199 " 4 0 l <----- Letter L.
022-12-23 11:31:50.643839 wan1 out x.x.x.x.7937 -> 188.8.131.52.443: psh 175404546 ack 2557588747
FortiGate should communicate with Acme servers on the same Internet facing Interface that's being selected under Acme configuration on FortiGate.
FortiGate-60F # show sys acme
If no traffic for the ACME server is being sent out via the interface that’s being selected under # config system acme, this would be related to Ha-direct feature being used under the # config sys ha.
# config system ha
set group-name "HA-test"
set mode a-p
set password ENC
set hbdev "port3" 0
set ha-mgmt-status enable
set interface "port2"
set gateway 10.5.63.254
set override disable
set ha-direct enable <-----
If the ha-direct option is enabled: FortiGate will use the HA reserved management interface for Acme renewal and provisioning.
As the interface selected under # config system acme is different than the HA reserved management interface, Acme communication will not happen.
HA management interface is a reserved interface and cannot be selected for ACME services.
FortiGate selects HA reserved management interface as an outgoing interface for the feature listed below if HA -direct is enabled:
- Remote logging (including syslog, FortiAnalyzer, and FortiCloud).
- SNMP queries and traps.
- Remote authentication and certificate verification.
- Communication with FortiSandbox.
Solution: Disable the Ha-direct option under # config sys ha
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.