Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Flanger
New Contributor II

ACME renewed certificate is deployed only after 24 hours.

Hello everyone,

I observe strange behavior with ACME client. I use it to generate certificate for firewall's web management running on default HTTP/HTTPS ports (not using any form of SSLVPN). When Let's Encrypt certificate successfully renews, it still remains in staging for some time (maybe day or more) and only then is deployed to the firewall's management webserver. Meanwhile previous certificate is still in use.

 

Why is this happening? Is this by design?

 

 

 

fw # get vpn certificate local details LTSNCR
== [ LTSNCR ]
        Name:        LTSNCR
        Subject:     CN = example.com
        Issuer:      C = US, O = Let's Encrypt, CN = R10
        Valid from:  2024-06-20 08:02:07  GMT
        Valid to:    2024-09-18 08:02:06  GMT
        Fingerprint: 7E:16:DE:13:E0:35:DC:52:F0:A4:DE:B8:CB:56:17:88
        Serial Num:  36:00:5a:3e:a6:1d:15:13:6c:e3:14:03:92:06:58:00:ec:9d
ACME details:
        Status: The certificate for the managed domain has been renewed successfully and can be used (valid since Thu, 20 Jun 2024 08:02:07 GMT).
        Staging status: The certificate for the managed domain has been renewed successfully and can be used from Thu, 05 Sep 2024 07:38:25 GMT on.

 

 

 

 

The new certificate has been manually generated at 4 Sep 08:44 GMT, but as you can see in staging status it's still being held in staging and will only be applied at 5 Sep 07:38 GMT, almost after 24 hours. So why is this delay needed? With Certbot, any newly generated certificate is deployed instantly.

 

2 REPLIES 2
adambomb1219
SuperUser
SuperUser

Why use Let's Encrypt at all?  Why not buy a longer term certificate from a public PKI?

Flanger
New Contributor II

Why not, if it's readily available and free? I can't see how is this suggestion on the point of topic.

 

There is a system in place, which has been developed, passed the tests, etc. before shipping. So naturally I wonder why is it behaving in this particular way. Maybe there is some additional configuration available that is lacking on my end.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors