Pick one only - LOL
2 Likes
I believe I have picked only one. Pint taken 
2 Likes
If anyone has cared to read this far into this topic here is the recap.
Step #1 was skipped and Step #2 was loosely applied and Step #3 has been ignored [thus far].
Three easy steps to resolving problems quickly via help forums:
Step #1 Admit that you have a problem.
Step #2: Ask for help
"Help" Topic opened [here and in reddit]
But all the required help questions were removed [unanswered]
Step #3: Accept the help that is being provided
As yet, only accepted some as suggestions and used to reinforce the belief that problem exists elsewhere.
This may get flagged as it is definitely rough around the edges.
[so, grab a screenie, if you wish to remember it - LOL]
But all true and plain to see.
When one goes to a doctor this never happens - we follow the three simple rules to a T:
Step #1: Admit that you have a problem. [stop telling yourself - it will get better on its' own]
Step #2: Ask for help [seek help from a doctor]
Step #3: Accept the help that is being provided [follow the doctors' orders]
13 Likes
that's error from tls-alpn-01 challenge: are you sure it's actually using http challenge?
and do you have another tls interceptor in front of it?
3 Likes
I think Sean would have known about that.
[off topic - but about this topic]
As for my "uncharacteristic responses" here...
I'm holding @seanthegeek to a much higher standard.
"With great power comes great responsibility."
I'm sorry if it is not what anyone expected - today is Wednesday and I'm all out of !
Sometimes ... this is what we get when nothing is paid for it.
FREE advice is taken at face value [$0.00] - and seen as/deemed worthless.
3 Likes
Going back to modify "redacted" to "[redacted]"
So that it makes more sense to all readers.
3 Likes
I haven't read this entire thread, so sorry if I repeat something already said.
TLS-ALPN challenges require the actual TLS connection to be forwarded. remote error: tls: no application protocol indicates that when we connected, the TLS implementation didn't know about the ALPN we're requesting. The reddit thread linked only shows port 80 configs, and not 443, so I'm not sure what's responding on 443. If the nginx is handling TLS on 443, TLS-ALPN won't work. You can use ssl_preread on; and proxy_pass $name with nginx to allow proxying without terminating TLS, though I'd have to test that out.
I wasn't aware fortigates had ACME support for their VPNs. I see they have trial VMs, so at some point I'll have to try that out. Thanks for pointing it out, at least!
7 Likes
@seanthegeek the https://community.fortinet.com/ might be an alternate place to seek help as well.
1 Like
From the reddit site:
[they seem to have gotten more information that we did]
[ that one is close to me 
]
2 Likes
That's the weird thing: Pervious requests had used the plain http challenge, so I was able to proxy the challenge without an issue. Somehow, that has changed to a TLS challenge, and I have no idea why. I hadn't changed any ACME config or updated firmware between my last successful renewal of an existing ACME cert and creating this new one.
My nginx configuration worked just fine until the challenge switched, which is what I was trying to get across earlier. I opened this thread to find out more about Let's Encrypt error messages, because that one seems vague. I can't find anything in the FortiGate CLI about setting a challenge type, so I'll open a support case with them.
1 Like
Did it, or what is it a redirect from HTTP (Port 80) to HTTPS (Port 443)?
1 Like
It's possible the Fortigate changed what challenge type it used? Have you upgraded its firmware?
3 Likes
I can confirm [using a 60F with 7.2.4 code] that it doesn't do TLS-ALPN-01.
[who can spot a 60D in the picture? - lol]
Which circles back around to something redirecting the HTTP to HTTPS.
No.
Already answered: No.
[7.2.4 is the latest]
3 Likes
Again: That is going in the wrong direction.
[See: Step #1 above.]
2 Likes
clue: It's the only other obvious firewall in the picture - LOL
[the gray to the left is also a firewall - CP model ST-5 - aka Smart-1 205]
2 Likes
The focus and depth of field make it hard for me to read on the upper left of the photograph.
Thus I could not read it's MAC.
1 Like
Would remote error: tls: no application protocol ever show up with a HTTP-01 challenge, or just ALS-ALPN?I created this thread to get an idea of what that error means, because to me that is rather vague. Knowing exactly what that error means would be super helpful.
A redirect wouldn't change an HTTP-01 challenge to a TLS-ALPN-01 challenge.
My guess is that if the firewall itself didn't change, something in front of the firewall (that previously just passed through TLS and is now doing something nosier) did.
3 Likes