Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cravikumar
Staff
Staff

Created on ‎11-09-2025 09:50 PM

Article Id 417763

Troubleshooting Tip: Let's Encrypt certificate renewal failed with error: 'Domain authorization failed and CA considers answer to challenge invalid'

Description This article describes how to troubleshoot and resolve the Let's Encrypt certificate renewal error. Specifically, it addresses the issue: 'Domain authorization for vpn.example.com failed. CA considers answer to challenge invalid'.
Scope FortiGate, Let's Encrypt Certificates, ACME certificate.
Solution

When attempting to renew an ACME certificate, the process may fail with the following error message:

 

diagnose sys acme status-full vpn.example.com

 

{
"name": "vpn.example.com",
"finished": true,
"notified": true,
"notified-renewed": false,
"next-run": "Fri, 24 Oct 2025 23:41:20 GMT",
"last-run": "Fri, 24 Oct 2025 16:31:53 GMT",
"errors": 14,
"last": {
"status": 22,
"status-description": "Invalid argument",
"detail": "Domain authorization for vpn.example.com failed. CA considers answer to challenge invalid.",
"activity": "Monitoring challenge status for vpn.example.com"
}
}

 

This issue occurs when the FortiGate's public-facing interface is configured to use a custom HTTPS management port (for example, 4443) instead of the default port 443.

During the ACME domain validation process, the certificate authority (CA) attempts to connect to the domain over port 443.

If the FortiGate is listening for management traffic on another port, the validation request is not correctly handled, causing the authorization to fail.

 

To resolve the issue:

Temporarily change the management port to 443:

 

config system global

    set admin-sport 443

end

 

Note:

This may conflict with the IKE-TCP port, and IKE takes precedence over HTTPS, resulting in the loss of GUI access on that interface. To fix it, temporarily change the IKE TCP port as well.

 

config system settings
    set ike-tcp-port <integer> <----- Assign a random unused port.
end

 

Retry the certificate renewal process:

 

diagnose sys acme regenerate-client-config
diagnose sys acme restart

 

diagnose sys acme status-full vpn.example.com


{
"name": "vpn.example.com",
"finished": true,
"notified": false,
"next-run": "Sat, 25 Oct 2025 20:51:14 GMT",
"last-run": "Sat, 25 Oct 2025 06:00:37 GMT",
"valid-from": "Sat, 25 Oct 2023 21:51:14 GMT",
"errors": 0,
"last": {
"status": 0,
"detail": "The certificate for the managed domain has been renewed successfully and can be used from Sat, 25 Oct 2023 21:51:14 GMT on.",
"valid-from": "Sat, 25 Oct 2023 21:51:14 GMT"
}

 

After a successful renewal, revert the management port to the preferred custom port (eg, 4443) and IKE TCP port.

 

config system global

    set admin-sport 4443

end

 

config system settings
    set ike-tcp-port 443
end

 

To automate it for every Acme renewal, configure automation stitch as below.

 

config system automation-trigger

    edit "Cert-Update-Failed"
        set event-type event-log
        set logid 41990
        config fields
            edit 1
                set name "Reason"
                set value "acme"
            next
         end
    next
    edit "Cert-Updated-Success"
        set event-type event-log
        set logid 41987
        config fields
            edit 1
                set name "Reason"
                set value "acme"
            next
        end
    next

end

 

config system automation-action
    edit "Temp-Port-Change"
        set action-type cli-script
        set script "config system global
        set admin-sport 443
        end
        config system settings
        set ike-tcp-port 4443
        end
        diagnose sys acme regenerate-client-config
        diagnose sys acme restart"
        set accprofile "super_admin"

    next
    edit "Revert-Port-Change"
        set action-type cli-script
        set script "config system global
        set admin-sport 4443
        end
        config system settings
        set ike-tcp-port 443
        end"
        set accprofile "super_admin"
    next
end

 

config system automation-stitch
    edit "ACME-CERT-Renewal"
        set trigger "Cert-Update-Failed"
        config actions
            edit 1
                set action "Temp-Port-Change"
                set required enable
            next
        end
    next

    edit "ACME-CERT-Updated"
        set trigger "Cert-Updated-Success"
        config actions
            edit 1
                set action "Revert-Port-Change"
                set required enable
            next
        end
    next
end

 

Note:

Make sure to change the custom port to the preferred port. In this example, port 4443 was used.

 

Related documents:

Troubleshooting Tip: Let’s Encrypt certificate did not automatically renew

Technical Tip: Change the port for the admin access to the firewall

GUI warnings for IKE-TCP port conflicts
209
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.