FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Lovepreet_Dhillon
Article Id 240774
Description

This article describes the troubleshooting steps related to ACME certificate renewal /provision issues due to HA-direct being enabled.

Scope

FortiOS  7.0 and above.

Solution

During provisioning or at the time of renewal of Acme cert FortiGate shows an error message 'Unsuccessful in contacting ACME server at https://acme-v02.api.letsencrypt.org/directory', which indicates that FortiGate is not able to contact the Acme server for renewal /provision.

 

To confirm this issue, run the following commands in the FortiGate CLI:

 

get vpn certificate local details  Test_acme

ACME details:

Status: Unprovisioned

Staging status: Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>.

 

If this problem persists, check the network connectivity from the Apache server to the ACME server.

 

diagnose sys acme status-full " Certificate's CN domain"

 

diagnose sys acme status-full example.fortinet.com

"status": 70007,

"status-description": "The timeout specified has expired",

"detail": "Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>.

 

If this problem persists, check the network connectivity from the Apache server to the ACME server.

 

Troubleshooting steps:

 

Check network connectivity to the ACME server with a ping test from FortiGate's CLI:

 

exec ping acme-v02.api.letsencrypt.org

PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248): 56 data bytes

64 bytes from 172.65.32.248: icmp_seq=0 ttl=59 time=17.2 ms

64 bytes from 172.65.32.248: icmp_seq=1 ttl=59 time=16.2 ms

 

If the layer 3 connectivity to the Acme server is good as shown in the above test, confirm which interface is used for listening to the ACME challenges by FortiGate.

Run a sniffer for the Acme IP 172.65.32.248 (confirm the IP with the Ping test performed earlier).

 

dia sni packet any " host 172.65.32.248  " 4 0 l <- Letter L.

022-12-23 11:31:50.643839 wan1 out x.x.x.x.7937 -> 172.65.32.248.443: psh 175404546 ack 2557588747
2022-12-23 11:31:50.644143 wan1 out x.x.x.x.7937 -> 172.65.32.248.443: fin 175404570 ack 2557588747

 

FortiGate should communicate with ACME servers on the same Internet facing Interface that is being selected under the ACME configuration on FortiGate.

 

show sys acme
config system acme
    set interface "wan1"
end

 

If no traffic for the ACME server is being sent out via the interface that is being selected under  config system acme, this is related to the Ha-direct feature being used under config sys ha.

 

config system ha

    set group-name "HA-test"

    set mode a-p

    set password ENC

    set hbdev "port3" 0

    set ha-mgmt-status enable

    config ha-mgmt-interfaces

        edit 1

            set interface "port2"

            set gateway 10.5.63.254

        next

    end

        set override disable

        set ha-direct enable <-

    end

 

If the ha-direct option is enabled: FortiGate will use the HA reserved management interface for ACME renewal and provisioning.

As the interface selected under # config system acme is different than the HA reserved management interface, ACME communication will not happen.

 

Note: The HA management interface is a reserved interface and cannot be selected for ACME services.

 

FortiGate selects an HA reserved management interface as an outgoing interface for the features listed below if HA-direct is enabled:

  • Remote logging (including syslog, FortiAnalyzer, and FortiCloud).
  • SNMP queries and traps.
  • Remote authentication and certificate verification.
  • Communication with FortiSandbox.

 

Solution: 


Prior to FortiOS 7.4, disable the Ha-direct option under config sys ha.

 

A new setting 'use-ha-direct' has been introduced in FortiOS 7.4.0:

 

config system acme

set use-ha-direct [enable|disable]

end