My Let's Encrypt account is paused and I need to unpause it. The unpause URL in my ACME client logs is truncated so I can't use it. Is there a way to get the full URL to unpause?
you removed the template that should appear when you open a topic in help section.
can you provide the infos please?
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
My domain is:santakvpn.sanandreas.com
I ran this command: Fortigate command to query the cdertificate has the message that it needs to be unpaused.
It produced this output:
Error (Your account is temporarily prevented from requesting certificates for santekvpn.sanandreas.com and possibly others. Please visit: Let's Encrypt - Portal on Thu Mar 5 08:05:51 2026 (UTC)
My web server is (include version):
n/a
The operating system my web server runs on is (include version):
| Hostname | SanTek60F |
|---|---|
| Serial number | FGT60FTK2209D76Z |
| Firmware | v7.4.11 build2878 (Mature) |
| Mode | NAT |
| System time | 2026/03/05 00:12:08 |
| Uptime | 33d 22h 32m 15s |
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
Yes. Can log into FOrtigate as administrator
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
I can use the web interface or the cli interface.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I see two options.
Solution: Ask Fortinet for help retrieving untruncated error message or ask them to release a software update that does.
Workaround: re-create an ACME account somewhere within Fortigate dashboard. The "pause" is per account, per hostname.
4 Likes
I see from the public CT logs you got a cert today so perhaps @Patryk suggestions helped.
Just wanted to add that to get "paused" you have to make a very large number of failed requests. Looking at your cert history failures would have started about 3 months ago. In that time you would have to average about 12 tries per day and all of them fail until now.
That points to poor alerting in your Fortigate to report cert request failures. If that can't be improved you should consider adding a monitoring service to better watch your system for expired certs. Your prior cert expired about 2 months ago.
For suggestions on monitoring see: Monitoring Service Options - Let's Encrypt
For details on the "pause" limit: Rate Limits - Let's Encrypt
It is horribly wasteful of LE resources to have so many failed requests. Which is why LE had to create the "unpause" limit.
3 Likes
Before reading Patryk's suggestion I had created a new account with which I applied for a certificate.
I think your suggestion make sense. The certificate had expired a few months ago but I did not receive a warning and would not have known had I not been tidying up the Fortigate's configuration.
Such a warning might have appeared in the logs but could easily hvae been missed. A better notification might be a warning on the dashboard or email.
I'll look into it.
1 Like
One other thing. I looked everywhere for a complete URL to unpause the failed requests. I am surprised that Letsencrypt cannot provide the correct URL since it appears that the error message displayed by the Fortigate came from Letsencrypt.
The Let's Encrypt ACME Server definitely sends the full URL needed to unpause. Not sure why the Fortigate loses that. Definitely something to ask them.
When the "pause" was first introduced a number of us were concerned about the length of the URL. Much of that discussion and the reasons for it are here: Feedback needed for our new account "pausing" feature and self-service "unpause" portal - #41 by aarongable
PS: Coincidentally another Fortigate user recently had a similar problem with the unpause URL: Fortigate Unpause URL is invalid, can't find full URL - #2 by MikeMcQ They did not report any news from Fortigate. If you get any please post here so we can pass it along to future posters. Thanks
4 Likes
Does the correct URL end with a date and time. If so, the problem might be that just copying it will not work because it contains spaces that need to be replaced with
%20 for exmaple.
No, see post #1 in this thread. There is an image of the very long URL.
Repeated here:
I believe the domain name in the URL is now different but the format is the same.
Update: I found a more recent example.
https://portal.letsencrypt.org/sfe/v1/unpause?jwt=eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiJTRkUgVW5wYXVzZSIsImV4cCI6MTc0Mzc3NDY3NCwiaWF0IjoxNzQyNTY1MDc0LCJpZGVudGlmaWVycyI6ImFkbWluLm1vdW50YWluaGlnaHNlby5jb20iLCJpc3MiOiJXRkUiLCJzdWIiOiIyMDY4MjI1ODg3IiwidmVyc2lvbiI6InYxIn0.J8IB55eT0uIpL5kczu8G3qXInn8immbsuStiixdf5nk
3 Likes
From FortiGate CLI :
get vpn certificate local details
Here you can see full length url to unlock your account
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.