FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
kmak
Staff
Staff
Article Id 227116
Description This article describes how to troubleshoot 'Let’s Encrypt'.
Scope FortiWeb version 7.0 and later.
Solution

Enable 'Let’s Encrypt' debug command.

 

Use the following diagnose commands to identify Let’s Encrypt issue.

These commands enable debugging of Let’s Encrypt with the highest debug level of 7.

 

diagnose debug application acmed 7
diagnose debug enable

 

The CLI may not display any debug output messages.

Triggering the 'Let’s Encrypt Issue' shall initiate the diagnose debug.

 

# (acme_msg_process : 143)recv msg, msg type: 0
(acme_cert_valid_and_issue : 1558)acme: renewal period 30
(acme_cert_valid_and_issue : 1559)acme: domain name testing02.ft-dev.site
(acme_cert_valid_and_issue : 1560)acme: domain size 0
(acme_cert_valid_and_issue : 1561)acme: name testing02.ft-dev.site
(key_load : 963)loading key from /etc/acme/private/testing02.ft-dev.site/key.pem.tmp
(key_load : 983)/etc/acme/private/testing02.ft-dev.site/key.pem.tmp not found
(key_gen : 870)generating new 2048-bit RSA key
(key_gen : 934)key saved to /etc/acme/private/testing02.ft-dev.site/key.pem.tmp
(acme_cert_valid_and_issue : 1640)checking existence and expiration of /etc/acme/testing02.ft-dev.site/cert.pem
(cert_load : 1282)/etc/acme/testing02.ft-dev.site/cert.pem does not exist
(cert_issue : 1300)creating new order for testing02.ft-dev.site at https://acme-v02.api.letsencrypt.org/acme/new-order

 

 

To disable the debug.

 

diagnose debug reset
diagnose debug disable

 

Common debug outputs containing 'Let's Encrypt' validation response.

 

Hostname DNS unresolve.

 

(acme_post : 737)acme_post: HTTP body:
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "DNS problem: NXDOMAIN looking up A for testing02.ft-dev.site - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for testing02.ft-dev.site - check that a DNS record exists for this domain",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/166188661986/XGIUPQ",
"token": "RzsSDrDFjf0nKNgfuGAmSuIohYdc1I-rKgh9i4tMUCk",
"validated": "2022-10-19T03:44:25Z"
}
(acme_log_err_event_process_inner_json : 583)acme_log_err_event_process_inner_json: type = urn:ietf:params:acme:error:dns, detail = DNS problem: NXDOMAIN looking up A for testing02.ft-dev.site - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for testing02.ft-dev.site - check that a DNS record exists for this domain
(acme_post : 742)acme_post: return code 200, json=
(authorize : 1025)challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/166188661986/XGIUPQ failed with status invalid

 

The hostname has possibly the wrong DNS pointing.

 

(acme_post : 737)acme_post: HTTP body:
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "1.2.3.4: Fetching http://testing02.ft-dev.site/.well-known/acme-challenge/ef3bjXjlG8qCowQQQ8DSpqBLKskyCI4WvWf-TSRmQDM: Timeout during connect (likely firewall problem)",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/166190614196/VPLZMQ",
"token": "ef3bjXjlG8qCowQQQ8DSpqBLKskyCI4WvWf-TSRmQDM",
"validationRecord": [
{
"url": "http://testing02.ft-dev.site/.well-known/acme-challenge/ef3bjXjlG8qCowQQQ8DSpqBLKskyCI4WvWf-TSRmQDM",
"hostname": "testing02.ft-dev.site",
"port": "80",
"addressesResolved": [
"1.2.3.4"
],
"addressUsed": "1.2.3.4"
}
],
"validated": "2022-10-19T03:52:21Z"
}
(acme_log_err_event_process_inner_json : 583)acme_log_err_event_process_inner_json: type = urn:ietf:params:acme:error:connection, detail = 1.2.3.4: Fetching http://testing02.ft-dev.site/.well-known/acme-challenge/ef3bjXjlG8qCowQQQ8DSpqBLKskyCI4WvWf-TSRmQDM: Timeout during connect (likely firewall problem)
(acme_post : 742)acme_post: return code 200, json=
(authorize : 1025)challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/166190614196/VPLZMQ failed with status invalid

 

Policy possibly enabled HTTP-to-HTTPS redirection.

 

(acme_post : 737)acme_post: HTTP body:
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "123.123.123.123: Invalid response from https://testing02.ft-dev.site:443/.well-known/acme-challenge/OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_...: 503",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/166192102376/x1UyUw",
"token": "OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY",
"validationRecord": [
{
"url": "http://testing02.ft-dev.site/.well-known/acme-challenge/OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_AdiY",
"hostname": "testing02.ft-dev.site",
"port": "80",
"addressesResolved": [
"123.123.123.123"
],
"addressUsed": "123.123.123.123"
},
{
"url": "https://testing02.ft-dev.site:443/.well-known/acme-challenge/OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_...",
"hostname": "testing02.ft-dev.site",
"port": "443",
"addressesResolved": [
"123.123.123.123"
],
"addressUsed": "123.123.123.123"
}
],
"validated": "2022-10-19T03:57:51Z"
}
(acme_log_err_event_process_inner_json : 583)acme_log_err_event_process_inner_json: type = urn:ietf:params:acme:error:unauthorized, detail = 123.123.123.123: Invalid response from https://testing02.ft-dev.site:443/.well-known/acme-challenge/OiG3iBgsv8aZ5FX3Nxnc0uLbI2Q8BqWIPzuKex_...: 503
(acme_post : 742)acme_post: return code 200, json=
(authorize : 1025)challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/166192102376/x1UyUw failed with status invalid

 

 

'Let’s Encrypt' successfully validated and cert issuing.

 

(acme_post : 737)acme_post: HTTP body:
{
"type": "http-01",
"status": "valid",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/166192382666/rGdUAw",
"token": "DojvfvBnrETFRZiMEpuMHw6mSHcHzJKP1ZzVYnp1UDw",
"validationRecord": [
{
"url": "http://testing02.ft-dev.site/.well-known/acme-challenge/DojvfvBnrETFRZiMEpuMHw6mSHcHzJKP1ZzVYnp1UDw",
"hostname": "testing02.ft-dev.site",
"port": "80",
"addressesResolved": [
"123.123.123.123"
],
"addressUsed": "123.123.123.123"
}
],
"validated": "2022-10-19T03:59:03Z"
}
(acme_post : 742)acme_post: return code 200, json=
(authorize : 1039)running /etc/acme/acme.sh done http-01 testing02.ft-dev.site DojvfvBnrETFRZiMEpuMHw6mSHcHzJKP1ZzVYnp1UDw DojvfvBnrETFRZiMEpuMHw6mSHcHzJKP1ZzVYnp1UDw.YuDQoq9bUCyLuTf6l62dWbeU0GhGiw56oIv417dFplE
(cert_issue : 1333)polling order status at https://acme-

v02.api.letsencrypt.org/acme/order/691661577/135897030346