Let's encrypt cert takes long time to issue

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: waftest2.zumis.lt
Letsencrypt configured on FortiWeb for traffic inspection. It is already nearly 3 hours and still not working. Certificate still not valid. Letsencrypt seems not working. The other domain waftest.zumis.lt seems to work but not aware how long it took to start working. This time am trying to figure out how long it takes and why. If say I need redirect any customer - I cannot wait for hours..


Welcome to the Let's Encrypt Community :slightly_smiling_face:

A Let's Encrypt certificate for waftest2.zumis.lt was issued 4 hours ago:


Let's Encrypt certificates are issued almost instantly. Any delays experienced before they "work" are almost always caused by whoever/whatever is installing the certificate.





Did you also open support ticket with Fortinet?
If so, please post the resolution of that ticket here.

I don't think LE, nor the issued cert, is causing the problem.
It seems like the "Have you restarted the web server for it to use the new cert?" type of problem.
[but only Fortinet (or you) can troubleshoot their product]

As an aside, how are the proxy clients configured to accept such an ever-changing certificate?
I sure hope they don't explicitly trust the underlying issuer - that would leave them vulnerable to millions of such trusted sources :scream_cat:

1 Like

Fortinet reply - "Seems that at the moment the Fortiweb is not sending the certificate issue to lets encrypt website The functionality under SNI is under investigation by developers and should be improved in newer versions. At the moment the propose work around to issue the certificate is the following - You need to set up the certificate with the server - Deactivate the http to https - disable the SNI - restart the proxyd diagnose system top 10 diagnose system kill 1 xxxx (xxxx proxyd ID) Restarting this process interrupts all the running session please schedule a window to do so. The process is automatically restarted but can create session interruption."


Is there a newer firmware that you can go to?
[that might make this problem go away]

1 Like

as per above - it is under investigation, so answer is NO

Whether they are investigating or not doesn't affect the answer to the question:
Is there a newer firmware that you can go to?

In my cases, I'm using 7.0.1 and have no problem getting certs.


ok, good question, have to check. Am on FortiWeb-VM 6.40,build1444(GA),210629

I think the 6.4 train is now up to at least 6.4.7.
If you are still on 6.4.0, then there is a lot to consider.

1 Like

no, am on latest, checked it, 6.4.0 Build 1444

Sorry, you are correct [I was thinking about FortiOS]
FortiWEB 6.4.1 should be out within a week (or so).

1 Like

hmm, how are you so well informed ? ) perhaps I should check with Fortinet to confirm it, would that include any potential fix for that ?

Well... ummm... I know a guy... LOL

It might; ask them directly.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.