Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

fcm.models.acme.acme.Acme.Error: A.C.M.E. Certificate request has failed. Client lacks sufficient au

I currently have the local port of the fortigate redirected to the forticlient EMS server, in the fortigate I have configured the local certificates for let's encrypt and in the configuration I have selected the created certificates and the acme interface, if I access the domain through the redirected https port When fortigate the certificate is correct but if I do it through the port redirected to the EMS Forticlient the certificate is invalid, in the EMS forticlient I tried to create the certificates for the subdomain with let's encrypt but it does not return an error 403 "Could not obtain certificates:
error: one or more domains had a problem , error: 403 :: urn:ietf:params:acme:error:unauthorized :: XX.XX.XX.XX: Invalid response from http://domain: 403 can someone help me , thanks and regards


I'm personally not a fan of Lets Encrypt.  Why not use a traditional certificate provider for this?  Or our own internal PKI?


The letsencrypt certificate will be tied with the domain name of the FGT that generate the validation request. The same certificate can not validate another domain (EMS in this case). You can do a port forwarding for port 80 and 443 to the EMS, create a global DNS record to point to the public IP and request a let's encrypt certificate directly from the EMS.


Configure an automated SSL certificate:

i. Go to System Settings > EMS Settings.
ii. Ensure that Remote HTTPS access and Redirect HTTP request to HTTPS are enabled.
iii. Ensure that ports 80 and 443 are accessible from the Internet by going to https://<EMS FQDN> in a browser. If the ports are accessible, the browser displays the EMS login page.
iv. In the SSL certificate field, click the Import SSL certificate button.
v. Select Automated.
vi. In the Domain field, enter the EMS FQDN. For the Let's Encrypt server to issue the certificate, the public DNS server must resolve the EMS FQDN to the EMS public IP address.
vii. In the Email field, enter a valid email address.
viii. If desired, enable Auto Renew. When Auto Renew is enabled, EMS automatically renews the certificate before expiry.
ix. Select the checkbox to agree to Let's Encrypt's terms of service. Click Import.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors