Fortinet Community

This article describes that, when the below command is executed, it provides the necessary debugs, and the error message is as follows.

It will fetch the ACME client's full status log for a given CN domain. It will show the below error message as it is unable to communicate with LetsEncrypt servers.

FortiGate #  diag sys acme status-full connect.myorganization.com

Error (<Public_IP>: Fetching http://connect.myorganization.com/.well-known/acme-challenge/<hash>: Timeout during connect (likely firewall problem)) on Thu Nov 24 20:45:12 2022 (UTC)

Below is the associated ACME protocol and certificate configuration used:

# config system acme

    set store-passphrase ENC ####Hashed Password####

    set url "https://acme-v02.api.letsencrypt.org/acme/acct/xxxxxxx"

    set ca_url "https://acme-v02.api.letsencrypt.org/directory"

    set email "itops@myorganization.com"

    set privatekey "-----BEGIN ENCRYPTED PRIVATE KEY----- ####Hashed Private Key#### -----END ENCRYPTED PRIVATE KEY-----"

    next

    end

end

# config vpn certificate ca

    edit "Connect"

        set password ENC ####Hashed Password#####

        set comments " "

        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY----- ####Hashed Private Key##### -----END ENCRYPTED PRIVATE KEY-----"

        set certificate "-----BEGIN CERTIFICATE-----

                        ####Hashed Certificate#####

                        -----END CERTIFICATE-----"

        set range global

        set enroll-protocol acme2

        set acme-domain "connect.myorganization.com"

        set acme-email "itops@myorganization.com"

    next

end

Below are the sequential steps to troubleshoot this connect issue:

- Make sure that the interface that the FortiGate communicates with LetsEncrypt servers is mapped to the ACME configuration.

# config system acme
    set interface "port1"
end

- Confirm that FortiGate has reachability to the internet, and then the LetsEncrypt servers by using ping:

# execute ping acme-v02.api.letsencrypt.org

- Make sure the DNS configuration of the FortiGate is correct, the DNS servers are reachable, and the DNS queries initiated by the FortiGate are getting resolved.

- Confirm the enrollment status of the certificate using the below commands:

# get vpn certificate local details 'Connect'

- Check the status of the ACME protocol’s communication between FortiGate and the LetsEncrypt servers using the below command:

# diagnose sys acme status-full connect.myorganization.com

- Restart the ACME service using the below command.

It will manually trigger the certificate verification again to LetsEncrypt servers and will get the certificate verified.

# diagnose sys acme restart

Related document:

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support

https://community.fortinet.com/t5/FortiWeb/Troubleshooting-Tip-Let-s-Encrypt-SSL-troubleshooting/ta-...