Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
luis_abreu
New Contributor III

Created on ‎02-28-2025 02:18 PM

Revoking TLS-ALPN certificates with HA not workign correctly

Hello everyone,

 

I wanted to share an odd issue we're encountering while using Let's Encrypt certificates (TLS-ALPN challenge) with FortiWeb.

 

We're running FortiWeb 7.2.10 in a HA active-passive configuration, set up as a reverse proxy. The setup involves serving multiple sites under SNI, all using a single Let's Encrypt certificate with multiple domain names. To ensure everything is done over HTTPS, we chose to use the TLS-ALPN challenge, and everything worked fine during the configuration and certificate issuance stages.

 

However, now that the sites are no longer required, we decided to revoke the certificates. That's where the problem starts. The revocation process appears to go as expected. I can see that the revoke requests are properly sent to Let's Encrypt, and when I check via OpenSSL, the certificate shows as revoked (verified against the certificate's OCSP URL with openssl). Additionally, the certificate's status updates to "revoked" on both the primary and secondary FortiWeb appliances.

 

But here's where things get strange. Shortly after the revocation, the primary HA sync state on the Web UI displays a "NO SYNC" message. When I click on this, I can see a diff between what I assume are the configurations of the primary and secondary appliances. The odd part is that, instead of seeing the PEM certificate chain lines (----BEGIN CERT) marked with a "-" on the primary (indicating deletion of the revoked certificate), I see them marked with a "+" on the secondary configuration (indicating that the lines were added).

 

This "NO SYNC" state can persist for quite a while—I've seen it last up to two hours. Eventually, the certificate somehow gets reactivated, and if I run the same OpenSSL check, it shows the certificate as valid again instead of revoked. I can even reuse it in the site without any issues.

 

In our case, this only happened for the TLS-ALPN certificate. We've had also a couple of sites with the HTTP-01, but we revoked them when needed without any sync issues.

 

Has anyone else encountered something similar? Any insights would be greatly appreciated.

 

Thanks

Labels:
112
0 Kudos
1 REPLY 1
luis_abreu
New Contributor III
In response to kimaysa1

Created on ‎03-01-2025 06:04 AM

Hello.

 

Can you be a little more specific about what you're suggesting? 

62
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.