Description
This article describes how to check FortiGate prerequisites and fall back to port 80 for the ACME certification provisioning.
Scope
FortiGate, VIP configured on TCP port 443 for the public IP to which the ACME certificate domain is resolved.
Solution
By default, when using ACME, the challenge is sent via TCP port 80. Port 80 by default in FortiGate redirects to port 443 (for security purposes). If a VIP is in use on any of these ports, then the incoming ACME challenge will be processed by the VIP rather than the system/ACME daemon and therefore the process will fail. This problem can produce debug outputs such as the following error:
Starting challenges for domains: x.x.x.x: Fetching http://www.yourdomain.com/.well-known/acme-challenge/challengecode: Timeout during connect (likely firewall problem), problem: urn:ietf:params:acme:er ror:connection
Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge
Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge, problem: urn:ietf:params:acme:error:unauthorized
However, if TCP port 443 is in use by a process on the FortiGate (e.g., HTTPS daemon, SSL VPN daemon, etc.), the ACME daemon will fall back to port 80 for the challenge. One way to achieve this with minimal impact is to set the FortiGate’s system telnet port to 443 as telnet is not typically used by administrators. This can be configured by navigating to System -> Settings in the GUI:
Make sure that telnet is not allowed on any interface of the FortiGate for administration unless it is desired. Note that:
- If telnet is being used to manage the FortiGate, it will no longer be able to do so on the external interface for the configured VIP on TCP port 443 as such traffic is processed by the VIP as mentioned earlier.
- If there is also a VIP configured using TCP port 80 and using the same public IP as the one to which the ACME certificate domain is resolved, this workaround will not function.
- If probe-response is used on the ACME interface with port 80, an error will be encountered: 'The key authorization file from the server did not match this challenge. Expected .....'. Ensure that probe-response is not using port 80.
To achieve this configuration using the CLI:
config system global
set admin-telnet enable
set admin-telnet-port 443
end
Alternatively, 'Redirect to HTTPS' can be disabled from HTTP to HTTPS for the WAN interface in System -> Settings -> Administration settings. Be sure to only do this temporarily, as this is not a secure setting.
Special Notes:
- When issues exist on the Firewall that VIP port conflict causing the certificate not able to renew, once the fix described in the above article has been applied, FortiGate will renew the certificate successfully, the existing reference of certificate traffic might get disrupted, for example, if the Let's Encrypt certificate has been used in SSLVPN, renewing the certificate might cause SSLVPN to disconnect. This activity should move to the maintenance window to avoid any production interrupted
- If there is any VIP object using TCP port 80 with the same interface that is listening to Let's Encrypt traffic, this interface cannot be used for Let's Encrypt renew/create. Details refer to the documentation Automatically provision a certificate
Related documents:
Troubleshooting Tip: Let’s Encrypt certificate did not automatically renew
Technical Tip: Monitor FortiGate using server probes (HTTP).
