FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 240774

This article describes the troubleshooting steps related to ACME certificate renewal /provision issues due to HA-direct being enabled.


FortiOS  7.0 and above.


During provisioning or at the time of renewal of Acme cert FortiGate shows an error message 'Unsuccessful in contacting ACME server at', which indicates that FortiGate is not able to contact the Acme server for renewal /provision.


To confirm this issue, run the following commands in the FortiGate CLI:


get vpn certificate local details  Test_acme

ACME details:

Status: Unprovisioned

Staging status: Unsuccessful in contacting ACME server at <>.


If this problem persists, check the network connectivity from the Apache server to the ACME server.


diagnose sys acme status-full " Certificate's CN domain"


diagnose sys acme status-full

"status": 70007,

"status-description": "The timeout specified has expired",

"detail": "Unsuccessful in contacting ACME server at <>.


If this problem persists, check the network connectivity from the Apache server to the ACME server.


Troubleshooting steps:


Check network connectivity to the ACME server with a ping test from FortiGate's CLI:


exec ping

PING ( 56 data bytes

64 bytes from icmp_seq=0 ttl=59 time=17.2 ms

64 bytes from icmp_seq=1 ttl=59 time=16.2 ms


If the layer 3 connectivity to the Acme server is good as shown in the above test, confirm which interface is used for listening to the ACME challenges by FortiGate.

Run a sniffer for the Acme IP (confirm the IP with the Ping test performed earlier).


dia sni packet any " host  " 4 0 l <- Letter L.

022-12-23 11:31:50.643839 wan1 out x.x.x.x.7937 -> psh 175404546 ack 2557588747
2022-12-23 11:31:50.644143 wan1 out x.x.x.x.7937 -> fin 175404570 ack 2557588747


FortiGate should communicate with ACME servers on the same Internet facing Interface that is being selected under the ACME configuration on FortiGate.


show sys acme
config system acme
    set interface "wan1"


If no traffic for the ACME server is being sent out via the interface that is being selected under  config system acme, this is related to the Ha-direct feature being used under config sys ha.


config system ha

    set group-name "HA-test"

    set mode a-p

    set password ENC

    set hbdev "port3" 0

    set ha-mgmt-status enable

    config ha-mgmt-interfaces

        edit 1

            set interface "port2"

            set gateway



        set override disable

        set ha-direct enable <-



If the ha-direct option is enabled: FortiGate will use the HA reserved management interface for ACME renewal and provisioning.

As the interface selected under # config system acme is different than the HA reserved management interface, ACME communication will not happen.


Note: The HA management interface is a reserved interface and cannot be selected for ACME services.


FortiGate selects an HA reserved management interface as an outgoing interface for the features listed below if HA-direct is enabled:

  • Remote logging (including syslog, FortiAnalyzer, and FortiCloud).
  • SNMP queries and traps.
  • Remote authentication and certificate verification.
  • Communication with FortiSandbox.



Prior to FortiOS 7.4, disable the Ha-direct option under config sys ha.


A new setting 'use-ha-direct' has been introduced in FortiOS 7.4.0:


config system acme

set use-ha-direct [enable|disable]