FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sashish
Staff
Staff
Article Id 250833
Description This article describes how to fix an issue where renewing a Let's Encrypt certificate fails because it cannot reach the server.
Scope Any supported version of FortiOS.
Solution

This issue occurs when the Let's Encrypt enrollment server cannot be reached.

 

Verify connectivity to the enrollment server with the following CLI command:

 

execute ping acme-v02.api.letsencrypt.org 

 

Let'sencypt.png

 

 

If the error 'Timeout during connect (likely firewall problem)' occurs during debugging, an incorrect interface may have been selected - particularly one which is not active in the routing table, or one which has had its Source IP is configured but cannot be routed to the internet. 

 

config system acme

set interface wan2 <-------- If wan1 is selected but is not active, change it to wan2

end  

 

Additionally, verify the source-ip. It can be 0.0.0.0:

 

config system acme

set source-ip 0.0.0.0 

end

 

Furthermore,  check the local-in policy and make sure the HTTPS and HTTP are not being denied.

 

Try restarting ACME with the following command:

 

diagnose sys acme restart 

 

If none of these steps resolve the issue, see the following links for help with troubleshooting ACME Let's Encrypt renewal issues:

Troubleshooting Tip: Let’s Encrypt certificate did not automatically renew

Technical Tip: Expiring Let’s Encrypt Certificates