Fortinet 60E won't create a certiifcate in the same domain as my Apache2 server

I created a certificate for my Apache2 server. 

I added to this certificate to get rid of my Godaddy certificates. My Fortinet 60E firewall (7.2.6) can't generate a certificate for on its own. Do I need to create it as then remove Fortinet has been working on it for over 3 weeks. I have to change the Virtual IPs from 80 and 443.

Can you explain this problem in more detail? What exactly failed?

Highly unlikely whatever the problem is that changing a hostname will affect it.

Can't you just import into your 60E the cert you already got? As described here:

2023/12/23 00:10:01 Cannot negotiate ALPN protocol acme-tls/1 for tls-alpn-01 challenge
2023/12/23 00:10:01 Starting challenges for domains: Cannot negotiate ALPN protocol acme-tls/1 for tls-alpn-01 challenge, problem: urn:ietf:params:acme:error:unauthorized
2023/12/23 00:10:01 Starting challenges for domains
2023/12/23 00:10:00 Loaded order from staging
2023/12/23 00:10:00 Selecting account to use for
2023/12/23 00:10:00 Driving ACME protocol for renewal of
2023/12/23 00:10:00 Contacting ACME server for at
2023/12/23 00:10:00 Assessing current status
2023/12/23 00:10:00 Checking staging area

Sorry, I don't know enough about your Fortinet to advise. I can see every kind of request (HTTP, HTTPS, and TLS-ALPN) rejected with a 403 Forbidden (or Unauthorized). This is what we see in your Let's Encrypt cert request too. That's probably the place to start.

You can reproduce this using Let's Debug (see here). Its overall result is "OK" but in this case it just means TLS-ALPN connection worked. You can see the 403 which is usually a 404 (Not Found) for that kind of test. You should use the Let's Encrypt staging system to test this as you are only allowed 5 errors / hour with the LE production system.

If no one else here wants to comment you might try a Fortinet forum.

Are you sure these are the correct IP addresses? Because the two IPv4 addresses belong to ATT and Comcast. That is unusual. The IPv6 is Comcast.

A    Address:
A    Address:
AAAA Address: 2601:402:8200:d410:20c:29ff:fea5:7fec

I can see a fresh cert (from Dec13) on the '99.' IPv4 and the IPv6 but I just timeout on the '68.' IPv4. That isn't causing the 403 error but may be something else to review.


I wanted the Fortinet to have its certificate to renew because it uses https to access the admin and when it breaks the certificate, it can be difficult to fix. Those addresses go to the WAN addresses. I use SD-WAN. AT&T Gigabit Fiber and Comcast for a secondary circuit. My wife works from home as a web programmer.

Has Fortinet said anything about this problem?
I recall there was an issue with ACME when using multiple WANs.
If you can do it, I would advise upgrading to the latest firmware: 7.4.2


They want me to try another domain instead of that isn't tied to VIPs (Web Site).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.