Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sashish
Staff
Staff

Created on ‎03-30-2023 02:56 AM Edited on ‎10-23-2024 02:25 AM By Moderator

Article Id 250833

Troubleshooting Tip: Let's Encrypt certificate renewal fails with 'timeout during connect (likely firewall problem)' error

Description This article describes how to fix an issue where renewing a Let's Encrypt certificate fails because it cannot reach the server.
Scope Any supported version of FortiOS.
Solution

This issue occurs when the Let's Encrypt enrollment server cannot be reached (see ACME-certificate-support).

 

Verify connectivity to the enrollment server with the following CLI command:

 

execute ping acme-v02.api.letsencrypt.org 

 

Let'sencypt.png

 

 

If the error 'Timeout during connect (likely firewall problem)' occurs during debugging, an incorrect interface may have been selected. Particularly one which is not active in the routing table, or one which has had its Source IP configured but cannot be routed to the internet. 

 

config system acme

    set interface wan2 <-------- If wan1 is selected but is not active, change it to wan2.

end  

 

Additionally, verify the source-ip. It can be 0.0.0.0:

 

config system acme

    set source-ip 0.0.0.0 

end

 

Furthermore,  check the local-in policy and make sure the HTTPS and HTTP are not being denied. This is important for the certificate to be issued or renewed. If the FortiGate is not reachable on ports 80 or 443, it will be possible to see the timeout renewal failures.

 

It is possible to validate that the FortiGate/ACME service is reachable on these ports from another device.

For example, from an external server, it is possible to test with 'telnet' or 'curl' commands:

TELNET:

 

user@server:~$ telnet vpn.domain.net 80
user@server:~$ telnet vpn.domain.net 443

 

Output indicating the TCP connection has been established:

 

user@server:~$ telnet vpn.domain.net 80
Trying 12.34.56.78.
Connected to vpn.domain.net
Escape character is '^]'.


CURL:

 

user@server:~$ curl http://vpn.domain.net
user@server:~$ curl https://vpn.domain.net

 

Output showing the acme service is reachable on the FortiGate:

 

user@server:~$ curl http://vpn.domain.net
<!DOCTYPE html><html><head><title>ACME Access Only</title></head><body>ACME Access Only</body></html>w

 

If the ports do not show as reachable, it is recommended to trace the connection upstream to see what is preventing access to the FortiGate on these ports.

 

Try restarting ACME with the following command:

 

diagnose sys acme restart 

 

If none of these steps resolve the issue, see the following links for help with troubleshooting ACME Let's Encrypt renewal issues:

Troubleshooting Tip: Let’s Encrypt certificate did not automatically renew

Technical Tip: Expiring Let’s Encrypt Certificates
6701
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.