FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
amahdi
Staff
Staff
Article Id 292768
Description This article describes a possible solution when FortiGate is unable to create a Lets Encrypt Certificate via CLI or GUI although connectivity between firewall and ACME server is successful.
Scope FortiGate.
Solution
  • The following error is observed in the following output :


diagnose sys acme status-full fw-01.test.net
"when": "Sun, 16 Jun 2024 05:58:59 GMT",
"type": "renewal-error",
"detail": "Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>. 

 

If this problem persists, check the network connectivity from the Apache server to the ACME server.

Also, older servers might have trouble verifying the certificates of the ACME server. It is possible to check if it is possible to contact it manually via the curl command.

Sometimes, the ACME server might be down for maintenance, so failing to contact it is not an immediate problem. Apache will continue retrying this.

  • Although the FortiGate system was showing the correct date/time :

execute time
current time is: 08:12:51
last ntp sync:Fri Jan 5 07:53:04 2024


execute date
current date is: 2024-01-05


  • Rebooting the firewall does not resolve the issue.
  • Ensure there are no firewall local-in policies configured that block ports 443 or 80.
  • A possible solution is to run 'diagnose sys acme purge-allcommand to wipe the status file and clear any internal status for the ACME client and start a new attempt from the FortiGate's configuration. It also restarts the ACME client. 
  • The similar output should be visible as below :


diagnose sys acme status-full fw-01.test.net
"when": "Fri, 05 Jan 2024 15:51:22 GMT",
"type": "progress",
"detail": "Contacting ACME server for  fw-01.test.net at https://acme-v02.api.letsencrypt.org/directory"
},
{
"when": "Fri, 05 Jan 2024 15:51:22 GMT",
"type": "progress",
"detail": "Assessing current status"
},
{
"when": "Fri, 05 Jan 2024 15:51:22 GMT",
"type": "progress",
"detail": "Resetting staging area"
},
{
"when": "Fri, 05 Jan 2024 15:51:22 GMT",
"type": "progress",
"detail": "Checking staging area"
},
{
"when": "Fri, 05 Jan 2024 15:51:22 GMT",
"type": "starting"

 

Related article:

Troubleshooting Tip: Let’s Encrypt certificate did not automatically renew