I added firewall.scsiraidguru.com to this certificate to get rid of my Godaddy certificates. My Fortinet 60E firewall (7.2.6) can't generate a certificate for firewall.scsiraidguru.com on its own. Do I need to create it as fw.scsiraidguru.com then remove firewall.scsiraidguru.com. Fortinet has been working on it for over 3 weeks. I have to change the Virtual IPs from 80 and 443.
Sorry, I don't know enough about your Fortinet to advise. I can see every kind of request (HTTP, HTTPS, and TLS-ALPN) rejected with a 403 Forbidden (or Unauthorized). This is what we see in your Let's Encrypt cert request too. That's probably the place to start.
You can reproduce this using Let's Debug (see here). Its overall result is "OK" but in this case it just means TLS-ALPN connection worked. You can see the 403 which is usually a 404 (Not Found) for that kind of test. You should use the Let's Encrypt staging system to test this as you are only allowed 5 errors / hour with the LE production system.
If no one else here wants to comment you might try a Fortinet forum.
Are you sure these are the correct IP addresses? Because the two IPv4 addresses belong to ATT and Comcast. That is unusual. The IPv6 is Comcast.
nslookup firewall.scsiraidguru.com
A Address: 68.36.88.188
A Address: 99.158.235.35
AAAA Address: 2601:402:8200:d410:20c:29ff:fea5:7fec
I can see a fresh cert (from Dec13) on the '99.' IPv4 and the IPv6 but I just timeout on the '68.' IPv4. That isn't causing the 403 error but may be something else to review.
I wanted the Fortinet to have its certificate to renew because it uses https to access the admin and when it breaks the certificate, it can be difficult to fix. Those addresses go to the WAN addresses. I use SD-WAN. AT&T Gigabit Fiber and Comcast for a secondary circuit. My wife works from home as a web programmer.
Has Fortinet said anything about this problem?
I recall there was an issue with ACME when using multiple WANs.
If you can do it, I would advise upgrading to the latest firmware: 7.4.2
