Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nopethanks
New Contributor II

Created on ‎02-05-2025 09:57 AM Edited on ‎02-05-2025 11:07 AM

Generating ACME SSL cert always fails with "Timeout during connect (likely firewall problem)"

Hi there,

 

I'm trying to generate an ACME cert on my FortiGate, just as I've done on my EMS server, but it always fails with a "Timeout during connect (likely firewall problem)" error:

 

Screenshot 2025-02-05 at 10.50.00.png

 

Port 80 is wide open to the world and you can see the traffic coming in when running a diag sniffer. From me running a curl against http://vpn.<mydomain>.com:

 

Screenshot 2025-02-05 at 10.53.59.png

 

I'm at a loss. Does anyone have any ideas or suggestions?

 

Thanks!

Labels:
293
0 Kudos
2 Solutions
AEK
SuperUser
SuperUser

Created on ‎02-05-2025 11:38 PM

Hi

Check here how the challenge is done.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Acme-on-the-FortiGate-causes-Security-Comp...

Maybe the ACME server is not able to perform the challenge, probably because your 443 port is closed (TLS-ALPN-01 on 443 is the default for challenge).

AEK

View solution in original post

AEK
244
nopethanks
New Contributor II

Created on ‎02-10-2025 03:06 PM

If anyone has the same issue later, I've got my HTTPS port set to something other than 443 which enabled me to set the HTTP port to 443 which then was able to communicate with Let's Encrypt. I have "Redirect to HTTPS" enabled to the actual HTTPS port which is blocked from public access.

 

I think the way the EMS server has this implemented is the right way but at least this config seems to work.

 

Thanks again!

View solution in original post

191
2 REPLIES 2
AEK
SuperUser
SuperUser

Created on ‎02-05-2025 11:38 PM

Hi

Check here how the challenge is done.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Acme-on-the-FortiGate-causes-Security-Comp...

Maybe the ACME server is not able to perform the challenge, probably because your 443 port is closed (TLS-ALPN-01 on 443 is the default for challenge).

AEK
AEK
245
nopethanks
New Contributor II

Created on ‎02-10-2025 03:06 PM

If anyone has the same issue later, I've got my HTTPS port set to something other than 443 which enabled me to set the HTTP port to 443 which then was able to communicate with Let's Encrypt. I have "Redirect to HTTPS" enabled to the actual HTTPS port which is blocked from public access.

 

I think the way the EMS server has this implemented is the right way but at least this config seems to work.

 

Thanks again!

192
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.