Troubleshooting Tip: Let’s Encrypt certificate fails to renew due to 'remote error: tls: no application protocol'

jera · ‎08-14-2024

Description

This article describes the debug error received in case the Let's Encrypt certificate fails to auto-renew due to port conflict or domain configuration inconsistency.

Scope

FortiGate, Let's Encrypt Certificates, ACME certificate.

Solution

Acme certificate support guidelines can be found here:

ACME certificate support

To verify the reason for renewal-error, run the following command:

diagnose sys acme status-full <Certificate’s CN domain>

FortiGate # diagnose sys acme status-full test.fortinet.com
{
"name": "test.fortinet.com",
"finished": true,
"notified": false,
"next-run": "Fri, 02 Feb 2024 14:04:44 GMT",
"last-run": "Fri, 02 Feb 2024 14:04:00 GMT",
"errors": 4,
"last": {
"status": 22,
"status-description": "Invalid argument",
"problem": "urn:ietf:params:acme:error:tls",
"detail": "1.2.3.4: remote error: tls: no application protocol",
"activity": "Starting challenges for domains"
},
"log": {
"entries": [
{
"when": "Fri, 02 Feb 2024 14:04:04 GMT",
"type": "message-errored"
},
{
"when": "Fri, 02 Feb 2024 14:04:04 GMT",
"type": "renewal-error",
"status": "urn:ietf:params:acme:error:tls",
"detail": "1.2.3.4 : remote error: tls: no application protocol"
},
{
"when": "Fri, 02 Feb 2024 14:04:04 GMT",
"type": "progress",
"detail": "Starting challenges for domains: 1.2.3.4: remote error: tls: no application protocol, problem: urn:ietf:params:acme:error:tls"
},
{

To Fix:

Change the port of other services like SSL VPN, and FortiGate Web GUI (HTTPS/HTTP) to any unused port aside from 443 and port 80.
ACME-registered domain IP mapping (via nslookup) must match the domain configured in FortiGate.

FortiGate:

config vpn certificate local
edit "ACME"
set acme-domain "test.fortinet.com"
end

Troubleshooting Tip: Let’s Encrypt certificate fails to renew due to 'remote error: tls: no application protocol'

You are leaving our website