FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 250833
Description This article describes how to fix an issue where renewing a Let's Encrypt certificate fails because it cannot reach the server.
Scope Any supported version of FortiOS.

This issue occurs when the Let's Encrypt enrollment server cannot be reached.


Verify connectivity to the enrollment server with the following CLI command:


execute ping 





If the error 'Timeout during connect (likely firewall problem)' occurs during debugging, an incorrect interface may have been selected - particularly one which is not active in the routing table, or one which has had its Source IP is configured but cannot be routed to the internet. 


config system acme

set interface wan2 <-------- If wan1 is selected but is not active, change it to wan2



Additionally, verify the source-ip. It can be


config system acme

set source-ip 



Furthermore,  check the local-in policy and make sure the HTTPS and HTTP are not being denied.


Try restarting ACME with the following command:


diagnose sys acme restart 


If none of these steps resolve the issue, see the following links for help with troubleshooting ACME Let's Encrypt renewal issues:

Troubleshooting Tip: Let’s Encrypt certificate did not automatically renew

Technical Tip: Expiring Let’s Encrypt Certificates