This issue occurs when the Let's Encrypt enrollment server cannot be reached (see ACME certificate support).

Verify connectivity to the enrollment server with the following CLI command:

execute ping acme-v02.api.letsencrypt.org 

If the error 'Timeout during connect (likely firewall problem)' occurs during debugging, an incorrect interface may have been selected. Particularly one which is not active in the routing table, or one which has had its Source IP configured but cannot be routed to the internet. 

config system acme

    set interface wan2 <-------- If wan1 is selected but is not active, change it to wan2.

end  

Additionally, verify the source-ip. It can be 0.0.0.0:

config system acme

    set source-ip 0.0.0.0 

end

Also, make sure HTTPS and HTTP are enabled on the WAN interface that is used in the ACME setting (after renewing, HTTPS and HTTP can again be disabled):


Furthermore,  check the local-in policy and make sure the HTTPS and HTTP are not being denied. This is important for the certificate to be issued or renewed. If the FortiGate is not reachable on ports 80 or 443, it will be possible to see the timeout renewal failures.

It is possible to validate that the FortiGate/ACME service is reachable on these ports from another device.

For example, from an external server, it is possible to test with 'telnet' or 'curl' commands:

TELNET:

user@server:~$ telnet vpn.domain.net 80
user@server:~$ telnet vpn.domain.net 443

Output indicating the TCP connection has been established:

user@server:~$ telnet vpn.domain.net 80
Trying 12.34.56.78.
Connected to vpn.domain.net
Escape character is '^]'.

CURL:

user@server:~$ curl http://vpn.domain.net
user@server:~$ curl https://vpn.domain.net

The output shows the ACME service is reachable on the FortiGate:

user@server:~$ curl http://vpn.domain.net
<!DOCTYPE html><html><head><title>ACME Access Only</title></head><body>ACME Access Only</body></html>w

If the ports do not show as reachable, it is recommended to trace the connection upstream to see what is preventing access to the FortiGate on these ports.

Try restarting ACME with the following command:

diagnose sys acme restart 

In addition, review the local-in-policy and verify if a Geo policy is blocking traffic to the FortiGate. In some cases, traffic is restricted to allow only IP addresses from the USA.

However, Let's Encrypt is not limited to the USA—it has servers located across Europe and other regions worldwide.

Therefore, a temporary policy must be created to allow all traffic, after which it is possible to proceed with forcing the certificate renewal.

In v7.2 and older:

diagnose sys acme regenerate-client-config
diagnose sys acme restart

In v7.4, the command is:

diagnose sys acme purge-archive

After 2-3 minutes, confirm the certificate status:

get vpn certificate local details <Local certificate name>

diagnose sys acme status-full <Certificate’s CN domain>

Note: The maximum number of attempts to create an ACME certificate is 5. After crossing the maximum number limit, the next attempt will be after one hour.

If none of these steps resolve the issue, see the following links for help with troubleshooting ACME Let's Encrypt renewal issues:

Troubleshooting Tip: Let’s Encrypt certificate did not automatically renew

Technical Tip: Expiring Let’s Encrypt Certificates

Troubleshooting Tip: Let’s Encrypt certificate fails to renew due to 'remote error: tls: no applicat...