Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
salemneaz
Staff
Staff

Created on ‎07-31-2024 02:41 PM Edited on ‎03-21-2025 03:02 AM By Community Manager

Article Id 329656

Technical Tip: Error provision certificate with ACME

Description This article describes an example of the error for generating a Let’s Encrypt certificate using the ACME protocol from the Firewall GUI.
Scope FortiOS 7.4 and above.
Solution

The Let's Encrypt certificate authority uses the Automated Certificate Management Environment (ACME) protocol, and the details are given in RFC 8555. This provides a free SSL server certificate. For this to work, the FortiGate must have a public IP address and a hostname in DNS FQDN that can be resolved from the internet.

 

  •  Start by creating the ACME Let’s Encrypt Certificate from the Firewall GUI.

1.jpg

 

  • It is impossible to generate the Certificate because of the following error shown in the screenshot.

2.jpg

 

3.jpg

 

  • After running the httpsd debug, the Firewall sends a GET request and returns an 'HTTP 200' but still the certificate is not being generated.

[httpsd 9223 - 1721770087     info] fweb_debug_init[437] -- Handler "api_monitor_v2-handler" assigned to request

[httpsd 9223 - 1721770087     info] api_store_parameter[323] -- add API parameter 'mkey' (type=string)

[httpsd 9223 - 1721770087     info] api_store_parameter[323] -- add API parameter 'scope' (type=string)

[httpsd 9223 - 1721770087     info] endpoint_process_req_vdom[1024] -- new API request (action='select',path='system',name='acme-certificate-status',vdom='root',user='admin')

[httpsd 9223 - 1721770087     info] endpoint_process_req_vdom[1030] -- completed API request (rss_pre=17976, rss_post=17976, rss_delta=0)

[httpsd 9223 - 1721770087     info] fweb_debug_final[319] -- Completed GET request for "/api/v2/monitor/system/acme-certificate-status" (HTTP 200)

[httpsd 9228 - 1721770089     info] fweb_debug_init[433] -- New GET request for "/api/v2/monitor/system/usb-log" from "209.87.240.230:21365"

[httpsd 9228 - 1721770089     info] fweb_debug_init[435] -- User-Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36"

[httpsd 9228 - 1721770089     info] fweb_debug_init[437] -- Handler "api_monitor_v2-handler" assigned to request

[httpsd 9228 - 1721770089     info] api_store_parameter[323] -- add API parameter 'vdom' (type=string)

[httpsd 9228 - 1721770089     info] endpoint_process_req_vdom[1024] -- new API request (action='select',path='system',name='usb-log',vdom='root',user='admin')

[httpsd 9228 - 1721770089     info] endpoint_process_req_vdom[1030] -- completed API request (rss_pre=13340, rss_post=13340, rss_delta=0)

[httpsd 9228 - 1721770089     info] fweb_debug_final[319] -- Completed GET request for "/api/v2/monitor/system/usb-log" (HTTP 200)

 

The ACME Protocol sends the request on ports 80 and 443, and both ports need to be able to communicate with the Firewall, it is necessary to make sure that Port 80 and 443 are not being blocked by the upstream devices, once the communication on those ports is allowed then the certificate will get provisioned.

 

This issue mainly happens on the cloud where the cloud Firewall allows limited set of ports.

 

Related article:

Troubleshooting Tip: Let’s Encrypt certificate did not automatically renew 
1275
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.