Description | This article describes how to fix an issue where renewing a Let's Encrypt certificate fails because it cannot reach the server. |
Scope | Any supported version of FortiOS. |
Solution |
This issue occurs when the Let's Encrypt enrollment server cannot be reached.
First, verify connectivity to the enrollment server with the following CLI command:
# execute ping acme-v02.api.letsencrypt.org
If the error 'Timeout during connect (likely firewall problem)' occurs during debugging, an incorrect interface may have been selected - particularly one which is not active in the routing table, or one which has had its Source IP is configured but cannot be routed to the internet.
# config system acme set interface wan2 <-------- If wan1 is selected but is not active, change it to wan2 end
Additionally, verify the source-ip. It can be 0.0.0.0:
# config system acme set source-ip 0.0.0.0 end
Try restarting ACME with the following command:
# diagnose sys acme restart
If none of these steps resolve the issue, see the following links for help with troubleshooting ACME Let's Encrypt renewal issues: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.