Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
srajapratap
Staff
Staff

Created on ‎12-11-2022 09:49 PM Edited on ‎01-24-2023 11:53 AM

Article Id 239304

Technical Tip: 'Timeout during connect’ Error when renewing the LetsEncrypt certificate using ACME protocol

Description

This article describes that, when the below command is executed, it provides the necessary debugs, and the error message is as follows.

It will fetch the ACME client's full status log for a given CN domain. It will show the below error message as it is unable to communicate with LetsEncrypt servers.

 

FortiGate #  diag sys acme status-full connect.myorganization.com

Error (<Public_IP>: Fetching http://connect.myorganization.com/.well-known/acme-challenge/<hash>: Timeout during connect (likely firewall problem)) on Thu Nov 24 20:45:12 2022 (UTC)

 

Below is the associated ACME protocol and certificate configuration used:

 

# config system acme

    set store-passphrase ENC ####Hashed Password####

    set url "https://acme-v02.api.letsencrypt.org/acme/acct/xxxxxxx"

    set ca_url "https://acme-v02.api.letsencrypt.org/directory"

    set email "itops@myorganization.com"

    set privatekey "-----BEGIN ENCRYPTED PRIVATE KEY----- ####Hashed Private Key#### -----END ENCRYPTED PRIVATE KEY-----"

    next

    end

end

 

# config vpn certificate ca

    edit "Connect"

        set password ENC ####Hashed Password#####

        set comments " "

        set private-key "-----BEGIN ENCRYPTED PRIVATE KEY----- ####Hashed Private Key##### -----END ENCRYPTED PRIVATE KEY-----"

        set certificate "-----BEGIN CERTIFICATE-----

                        ####Hashed Certificate#####

                        -----END CERTIFICATE-----"

        set range global

        set enroll-protocol acme2

        set acme-domain "connect.myorganization.com"

        set acme-email "itops@myorganization.com"

    next

end
Scope FortiGate, FortiOS 7.0.0 and above.
Solution

Below are the sequential steps to troubleshoot this connect issue:

 

- Make sure that the interface that the FortiGate communicates with LetsEncrypt servers is mapped to the ACME configuration.

 

# config system acme
    set interface "port1"
end

 

- Confirm that FortiGate has reachability to the internet, and then the LetsEncrypt servers by using ping:

 

# execute ping acme-v02.api.letsencrypt.org

 

- Make sure the DNS configuration of the FortiGate is correct, the DNS servers are reachable, and the DNS queries initiated by the FortiGate are getting resolved.

 

- Confirm the enrollment status of the certificate using the below commands:

 

# get vpn certificate local details 'Connect'

 

- Check the status of the ACME protocol’s communication between FortiGate and the LetsEncrypt servers using the below command:

 

# diagnose sys acme status-full connect.myorganization.com

 

- Restart the ACME service using the below command.

It will manually trigger the certificate verification again to LetsEncrypt servers and will get the certificate verified.

 

# diagnose sys acme restart

 

Related document:

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support

https://community.fortinet.com/t5/FortiWeb/Troubleshooting-Tip-Let-s-Encrypt-SSL-troubleshooting/ta-...
5435
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.