|
During provisioning or at the time of renewal of Acme cert FortiGate shows an error message 'Unsuccessful in contacting ACME server at https://acme-v02.api.letsencrypt.org/directory', which indicates that FortiGate is not able to contact the Acme server for renewal /provision.
To confirm this issue, run the following commands in the FortiGate CLI:
get vpn certificate local details Test_acme
ACME details:
Status: Unprovisioned
Staging status: Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>.
If this problem persists, check the network connectivity from the Apache server to the ACME server.
diagnose sys acme status-full " Certificate's CN domain"
diagnose sys acme status-full example.fortinet.com
"status": 70007,
"status-description": "The timeout specified has expired",
"detail": "Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>.
If this problem persists, check the network connectivity from the Apache server to the ACME server.
Troubleshooting steps:
Check network connectivity to the ACME server with a ping test from FortiGate's CLI:
exec ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248): 56 data bytes
64 bytes from 172.65.32.248: icmp_seq=0 ttl=59 time=17.2 ms
64 bytes from 172.65.32.248: icmp_seq=1 ttl=59 time=16.2 ms
If the layer 3 connectivity to the Acme server is good as shown in the above test, confirm which interface is used for listening to the ACME challenges by FortiGate.
Run a sniffer for the Acme IP 172.65.32.248 (confirm the IP with the Ping test performed earlier).
dia sni packet any " host 172.65.32.248 " 4 0 l <- Letter L.
022-12-23 11:31:50.643839 wan1 out x.x.x.x.7937 -> 172.65.32.248.443: psh 175404546 ack 2557588747
2022-12-23 11:31:50.644143 wan1 out x.x.x.x.7937 -> 172.65.32.248.443: fin 175404570 ack 2557588747
FortiGate should communicate with ACME servers on the same Internet facing Interface that is being selected under the ACME configuration on FortiGate.
show sys acme
config system acme
set interface "wan1"
end
If no traffic for the ACME server is being sent out via the interface that is being selected under config system acme, this is related to the Ha-direct feature being used under config sys ha.
config system ha
set group-name "HA-test"
set mode a-p
set password ENC
set hbdev "port3" 0
set ha-mgmt-status enable
config ha-mgmt-interfaces
edit 1
set interface "port2"
set gateway 10.5.63.254
next
end
set override disable
set ha-direct enable <-
end
If the ha-direct option is enabled: FortiGate will use the HA reserved management interface for ACME renewal and provisioning.
As the interface selected under # config system acme is different than the HA reserved management interface, ACME communication will not happen.
Note: The HA management interface is reserved and cannot be selected for ACME services.
FortiGate selects an HA-reserved management interface as an outgoing interface for the features listed below if HA-direct is enabled:
- Remote logging (including syslog, FortiAnalyzer, and FortiCloud).
- SNMP queries and traps.
- Remote authentication and certificate verification.
- Communication with FortiSandbox.
Also, ensure that there is no local-in-policy configured on the firewall blocking HTTPS traffic.
config firewall local-in-policy
edit 1
set intf "port1"
set srcaddr "all"
set dstaddr "all"
set service "https"
set schedule "always"
next
end
Solution:
Before FortiOS 7.4, disable the Ha-direct option under config sys ha.
A new setting 'use-ha-direct' has been introduced in FortiOS 7.4.0:
config system acme
set use-ha-direct [enable|disable]
end
|
