|
The below error can be seen when FortiGate tries to renew the ACME certificate.
The following commands can be run on CLI to get more information on ACME certificate status:
diagnose sys acme status-full <CN of the certificate> <----- Check the 'detail' portion on the top of the output.
get vpn certificate local details <name of the certificate> <----- Verify the information written in front of 'Status' of the output.
3 requirements must be met for ACME to generate/renew the certificate:
- The FortiGate must have a public IP address and a hostname in DNS (FQDN) that resolves to the public IP address.
- The configured ACME interface must be public-facing so that the FortiGate can listen for ACME update requests. It must not have any VIPs, or port forwarding on port 80 (HTTP) or 443 (HTTPS).
- The Subject Alternative Name (SAN) field is automatically filled with the FortiGate DNS hostname. It cannot be edited, wildcards cannot be used, and multiple SANs cannot be added.
Related documents:
Automatically provision a certificate v7.6
Automatically provision a certificate v7.4
ACME certificate support v7.2
ACME certificate support v7.0
If ports 80 and 443 might be used for any other purpose on FortiGate apart from ACME, then communications to ACME server for certificate renewal might not go as expected and it creates the following errors:
- Verify the admin HTTP and HTTPS port under System -> Settings.
- Verify the SSL VPN port on the FortiGate.
Once ports 80 and 443 are kept for ACME only on FortiGate, the certificate will be renewed successfully and as expected. The above error will disappear and the message 'Renewed with ACME' can be seen on the FortiGate GUI.
|
