Troubleshooting Tip: 'Timeout during connect’ Error when renewing the LetsEncrypt certificate using ACME protocol

This article describes how to use commands to gain necessary debug logs to troubleshoot the 'Timeout during connect' error when renewing the LetsEncrypt certificate using the ACME protocol.

The following command will fetch the ACME user's full status log for a given CN domain. It will show the following error message as it is unable to communicate with LetsEncrypt servers.

diag sys acme status-full connect.myorganization.com

Error (<Public_IP>: Fetching http://connect.myorganization.com/.well-known/acme-challenge/<hash>: Timeout during connect (likely firewall problem)) on Thu Nov 24 20:45:12 2022 (UTC)

Below is the associated ACME protocol and certificate configuration used:

config system acme

    set store-passphrase ENC ####Hashed Password####

    set url "https://acme-v02.api.letsencrypt.org/acme/acct/xxxxxxx"

    set ca_url "https://acme-v02.api.letsencrypt.org/directory"

    set email "itops@myorganization.com"

    set privatekey "-----BEGIN ENCRYPTED PRIVATE KEY----- ####Hashed Private Key#### -----END ENCRYPTED PRIVATE KEY-----"

    next

end

end

config vpn certificate ca

    edit "Connect"

        set password ENC ####Hashed Password#####

        set comments " "

        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY----- ####Hashed Private Key##### -----END ENCRYPTED PRIVATE KEY-----"

        set certificate "-----BEGIN CERTIFICATE-----

####Hashed Certificate#####

-----END CERTIFICATE-----"

        set range global

        set enroll-protocol acme2

        set acme-domain "connect.myorganization.com"

        set acme-email "itops@myorganization.com"

    next

end

Below are the sequential steps to troubleshoot this connect issue:

Make sure that the interface that the FortiGate communicates with LetsEncrypt servers is mapped to the ACME configuration.

config system acme
    set interface "port1"
end

Confirm that FortiGate has reachability to the internet, and then the LetsEncrypt servers by using ping:

execute ping acme-v02.api.letsencrypt.org

Make sure the DNS configuration of the FortiGate is correct, the DNS servers are reachable, and the DNS queries initiated by the FortiGate are getting resolved.

Confirm the enrollment status of the certificate using the below commands:

get vpn certificate local details 'Connect'

Check the status of the ACME protocol’s communication between FortiGate and the LetsEncrypt servers using the below command:

diagnose sys acme status-full connect.myorganization.com

Ensure that SSL-VPN https-redirect is disabled and the SSL-VPN listening port is not conflicting ACME ports 80 and 443.

config vpn ssl settings
    set https-redirect disable

    set port 8443
end

Restart the ACME service using the following command.

It will manually trigger the certificate verification again to LetsEncrypt servers and will get the certificate verified.

diagnose sys acme restart

If the error is still showing after all the steps above, please check if you are using SD-WAN, the WAN interface which should get the update from ACME servers should have a lower priority. The ACME ignores the sd-wan rules and can be controlled via the priority of the wan interfaces.

If the ACME certificate is already expired, the auto-renewal will not work. It will be necessary to enroll again on the certificate.

Related document:

ACME certificate support - FortiGate 7.0.0 new features

Troubleshooting Tip: 'Let's Encrypt' SSL troubleshooting