| Description | The article describes how to troubleshoot the ACME certificate renewal/ Provision issue due to an error 'Timeout during connect (likely firewall problem), problem: urn:ietf:params:acme:error:connection'. |
| Scope | FortiGate v7.0 and Above. |
| Solution |
At the time of renewal/provision of ACME certificate, FortiGate shows an error message 'Timeout during connect (likely firewall problem), problem: urn:ietf:params:acme:error:connection' that states the FortiGate is not able to contact the ACME server for renewal/provision.
Renew or Provision the ACME certificate: Automatically provision a certificate
To confirm the issue, check the ACME log when the ACME client initiates the process to provision or renew certificates.
In the 'Details' section it will show the following error:
Assessing current status
Further:
Starting challenges for domains: During secondary validation: x.x.x.x: Fetching http://firewall.bktfamilylaw.com/.well-known/acme-challenge/iC7nHEx6kdK4caQyIMBBziF0f4ennBNtT2KbiRzj... Timeout during connect (likely firewall problem), problem: urn:ietf:params:acme:error:connection
The issue is due to the connectivity. It is because of the local-in-policy on FortiGate that blocks certain geo-locations during the provision/renewal of the certificate. For the time being disable the local-in-policy that limits the geolocation and begin the renewal/provision process. Once it is successful, enable the local-in-policy. It is due to Let's Encrypt servers being located in different geo-locations.
The second reason is if there are any upstream devices like firewalls and traffic passing through the upstream device then keep ports 80 and 443 open. Allow the connection from the ACME client to the server. Make sure that there is no geolocation-based block over ports 80 and 443 on the upstream firewall. |
