Description
This article describes how to change ACME window size when getting a timeout error in ACME status as follows when running the command ‘diagnose sys acme status-full <Certificate-CN>’ :
'status-description': 'The timeout specified has expired'.
'detail': 'Unsuccessful in contacting ACME server at https://acme-v02.api.letsencrypt.org/directory.
If this problem persists, check the network connectivity from the Apache server to the ACME server.
Not recently been noticed, but some servers might have trouble verifying the certificates of the ACME server.
It is possible to check by attempting a forced contact using the curl command.
Sometimes, the ACME server might be down for maintenance, so failing to contact it is not an immediate problem.
Apache will continue retrying this.',
'activity': 'Contacting ACME server for <Certificate-CN> at https://acme-v02.api.letsencrypt.org/directory'.
Scope
FortiGate v7.0+.
Solution
It is possible to use these commands on CLI to increase the window size for ACME renewal:
config vpn certificate local
edit <ACME_certificate_name>
set acme-renew-window 45
end
The default value of ‘acme-renew-window’ is 30. {Minimum value: 1 and Maximum value: 60}.
Restart the ACME service using the below command.
It will manually trigger the certificate verification again to LetsEncrypt servers and will get the certificate verified.
diagnose sys acme restart
