My domain is: b2b-private.cosmostv.com
I'm trying to get a certificate using the NGFW Fortigate web interface.
Device: FortiGate-1500D HA A/P Mode
System: FortiOS v7.2.10
It produced this output: FG # diagnose sys acme status-full b2b-private.cosmostv.com
Summary
{
"name": "b2b-private.cosmostv.com",
"finished": false,
"notified": false,
"next-run": "Tue, 04 Feb 2025 06:41:43 GMT",
"last-run": "Tue, 04 Feb 2025 06:40:37 GMT",
"errors": 1,
"last": {
"status": 20014,
"status-description": "Internal error (specific information not available)",
"detail": "Unable to retrieve certificate chain.",
"activity": "Retrieving certificate chain for b2b-private.cosmostv.com"
},
"log": {
"entries": [
{
"when": "Tue, 04 Feb 2025 06:41:38 GMT",
"type": "message-errored"
},
{
"when": "Tue, 04 Feb 2025 06:41:38 GMT",
"type": "renewal-error",
"detail": "Unable to retrieve certificate chain."
},
{
"when": "Tue, 04 Feb 2025 06:41:38 GMT",
"type": "progress",
"detail": "Retrieving certificate chain for b2b-private.cosmostv.com: Unable to retrieve certificate chain."
},
{
"when": "Tue, 04 Feb 2025 06:41:38 GMT",
"type": "progress",
"detail": "Retrieving certificate chain for b2b-private.cosmostv.com"
},
{
"when": "Tue, 04 Feb 2025 06:41:08 GMT",
"type": "progress",
"detail": "Creating new ACME account for b2b-private.cosmostv.com"
},
{
"when": "Tue, 04 Feb 2025 06:40:38 GMT",
"type": "progress",
"detail": "Selecting account to use for b2b-private.cosmostv.com"
},
{
"when": "Tue, 04 Feb 2025 06:40:38 GMT",
"type": "progress",
"detail": "Driving ACME protocol for renewal of b2b-private.cosmostv.com"
},
{
"when": "Tue, 04 Feb 2025 06:40:38 GMT",
"type": "progress",
"detail": "Resetting staging for b2b-private.cosmostv.com"
},
{
"when": "Tue, 04 Feb 2025 06:40:37 GMT",
"type": "progress",
"detail": "Contacting ACME server for b2b-private.cosmostv.com at https://acme-v02.api.letsencrypt.org/directory"
},
{
"when": "Tue, 04 Feb 2025 06:40:37 GMT",
"type": "progress",
"detail": "Assessing current status"
},
{
"when": "Tue, 04 Feb 2025 06:40:37 GMT",
"type": "progress",
"detail": "Resetting staging area"
},
{
"when": "Tue, 04 Feb 2025 06:40:37 GMT",
"type": "progress",
"detail": "Checking staging area"
},
{
"when": "Tue, 04 Feb 2025 06:40:37 GMT",
"type": "progress",
"detail": "Contacting ACME server for b2b-private.cosmostv.com at https://acme-v02.api.letsencrypt.org/directory"
},
{
"when": "Tue, 04 Feb 2025 06:40:37 GMT",
"type": "starting"
},
{
"when": "Tue, 04 Feb 2025 06:34:09 GMT",
"type": "message-errored"
},
{
"when": "Tue, 04 Feb 2025 06:34:09 GMT",
"type": "renewal-error",
"detail": "Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>. If this problem persists, please check your network connectivity from your Apache server to the ACME server. Also, older servers might have trouble verifying the certificates of the ACME server. You can check if you are able to contact it manually via the curl command. Sometimes, the ACME server might be down for maintenance, so failing to contact it is not an immediate problem. Apache will continue retrying this."
},
{
"when": "Tue, 04 Feb 2025 06:34:09 GMT",
"type": "progress",
"detail": "Contacting ACME server for b2b-private.cosmostv.com at https://acme-v02.api.letsencrypt.org/directory: Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>. If this problem persists, please check your network connectivity from your Apache server to the ACME server. Also, older servers might have trouble verifying the certificates of the ACME server. You can check if you are able to contact it manually via the curl command. Sometimes, the ACME server might be down for maintenance, so failing to contact it is not an immediate problem. Apache will continue retrying this."
},
{
"when": "Tue, 04 Feb 2025 06:33:39 GMT",
"type": "progress",
"detail": "Contacting ACME server for b2b-private.cosmostv.com at https://acme-v02.api.letsencrypt.org/directory"
},
{
"when": "Tue, 04 Feb 2025 06:33:39 GMT",
"type": "progress",
"detail": "Assessing current status"
},
{
"when": "Tue, 04 Feb 2025 06:33:39 GMT",
"type": "progress",
"detail": "Resetting staging area"
},
{
"when": "Tue, 04 Feb 2025 06:33:39 GMT",
"type": "progress",
"detail": "Checking staging area"
},
{
"when": "Tue, 04 Feb 2025 06:33:39 GMT",
"type": "starting"
}
]
}
}
A couple of weeks ago I noticed a problem with accessing the certificate receipt service only from the outgoing ip of this device:
Summary
FG # execute traceroute acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 32 hops max, 3 probe packets per hop, 84 byte packets
1 213.184.238.10 12.722 ms 3.512 ms 3.757 ms
2 195.50.15.40 4.291 ms 1.672 ms 1.353 ms
3 185.11.76.60 0.952 ms 0.781 ms 0.634 ms
4 185.11.76.28 0.799 ms 0.892 ms 0.752 ms
5 185.11.78.245 8.766 ms 8.841 ms 8.716 ms
6 162.158.100.23 8.135 ms 8.112 ms 8.237 ms
7 * * *
8 * * *
9 * * *
10 * * *
Sometimes a couple of packets with a ping still passes
When trying to connect from other devices (with other addresses), everything is fine...
Can you help me with this problem?