Let's encrypt cert takes long time to issue

arunas · August 17, 2021, 1:23pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: waftest2.zumis.lt
Letsencrypt configured on FortiWeb for traffic inspection. It is already nearly 3 hours and still not working. Certificate still not valid. Letsencrypt seems not working. The other domain waftest.zumis.lt seems to work but not aware how long it took to start working. This time am trying to figure out how long it takes and why. If say I need redirect any customer - I cannot wait for hours..

griffin · August 17, 2021, 4:23pm

Welcome to the Let's Encrypt Community

A Let's Encrypt certificate for waftest2.zumis.lt was issued 4 hours ago:

https://crt.sh/?id=5058483383

Let's Encrypt certificates are issued almost instantly. Any delays experienced before they "work" are almost always caused by whoever/whatever is installing the certificate.

Histories:

https://crt.sh/?q=waftest.zumis.lt

https://crt.sh/?q=waftest2.zumis.lt

rg305 · August 17, 2021, 7:09pm

Did you also open support ticket with Fortinet?
If so, please post the resolution of that ticket here.

I don't think LE, nor the issued cert, is causing the problem.
It seems like the "Have you restarted the web server for it to use the new cert?" type of problem.
[but only Fortinet (or you) can troubleshoot their product]

As an aside, how are the proxy clients configured to accept such an ever-changing certificate?
I sure hope they don't explicitly trust the underlying issuer - that would leave them vulnerable to millions of such trusted sources

arunas · September 1, 2021, 3:09pm

Fortinet reply - "Seems that at the moment the Fortiweb is not sending the certificate issue to lets encrypt website The functionality under SNI is under investigation by developers and should be improved in newer versions. At the moment the propose work around to issue the certificate is the following - You need to set up the certificate with the server - Deactivate the http to https - disable the SNI - restart the proxyd diagnose system top 10 diagnose system kill 1 xxxx (xxxx proxyd ID) Restarting this process interrupts all the running session please schedule a window to do so. The process is automatically restarted but can create session interruption."

rg305 · September 1, 2021, 3:26pm

Is there a newer firmware that you can go to?
[that might make this problem go away]

arunas · September 1, 2021, 8:17pm

as per above - it is under investigation, so answer is NO

rg305 · September 1, 2021, 8:56pm

Whether they are investigating or not doesn't affect the answer to the question:
Is there a newer firmware that you can go to?

In my cases, I'm using 7.0.1 and have no problem getting certs.

arunas · September 1, 2021, 9:25pm

ok, good question, have to check. Am on FortiWeb-VM 6.40,build1444(GA),210629

rg305 · September 1, 2021, 9:39pm

I think the 6.4 train is now up to at least 6.4.7.
If you are still on 6.4.0, then there is a lot to consider.

arunas · September 2, 2021, 5:34am

no, am on latest, checked it, 6.4.0 Build 1444

rg305 · September 2, 2021, 5:50am

Sorry, you are correct [I was thinking about FortiOS]
FortiWEB 6.4.1 should be out within a week (or so).

arunas · September 2, 2021, 6:13am

hmm, how are you so well informed ? ) perhaps I should check with Fortinet to confirm it, would that include any potential fix for that ?

rg305 · September 2, 2021, 7:51pm

Well... ummm... I know a guy... LOL

It might; ask them directly.

system · October 2, 2021, 7:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.