Tls: no application protocol when attempting to create Let's Encrypt certificate using FortiGate firewall

Pick one only - LOL


I believe I have picked only one. Pint taken :beer:


If anyone has cared to read this far into this topic here is the recap.

Step #1 was skipped and Step #2 was loosely applied and Step #3 has been ignored [thus far].

Three easy steps to resolving problems quickly via help forums:

Step #1 Admit that you have a problem.

Step #2: Ask for help
"Help" Topic opened [here and in reddit]
But all the required help questions were removed [unanswered]

Step #3: Accept the help that is being provided
As yet, only accepted some as suggestions and used to reinforce the belief that problem exists elsewhere.

This may get flagged as it is definitely rough around the edges.
[so, grab a screenie, if you wish to remember it - LOL]
But all true and plain to see.

When one goes to a doctor this never happens - we follow the three simple rules to a T:
Step #1: Admit that you have a problem. [stop telling yourself - it will get better on its' own]
Step #2: Ask for help [seek help from a doctor]
Step #3: Accept the help that is being provided [follow the doctors' orders]


that's error from tls-alpn-01 challenge: are you sure it's actually using http challenge?
and do you have another tls interceptor in front of it?


I think Sean would have known about that.

[off topic - but about this topic]
As for my "uncharacteristic responses" here...
I'm holding @seanthegeek to a much higher standard.
"With great power comes great responsibility."

I'm sorry if it is not what anyone expected - today is Wednesday and I'm all out of :beer:!
Sometimes ... this is what we get when nothing is paid for it.
FREE advice is taken at face value [$0.00] - and seen as/deemed worthless.


Going back to modify "redacted" to "[redacted]"
So that it makes more sense to all readers.


I haven't read this entire thread, so sorry if I repeat something already said.

TLS-ALPN challenges require the actual TLS connection to be forwarded. remote error: tls: no application protocol indicates that when we connected, the TLS implementation didn't know about the ALPN we're requesting. The reddit thread linked only shows port 80 configs, and not 443, so I'm not sure what's responding on 443. If the nginx is handling TLS on 443, TLS-ALPN won't work. You can use ssl_preread on; and proxy_pass $name with nginx to allow proxying without terminating TLS, though I'd have to test that out.

I wasn't aware fortigates had ACME support for their VPNs. I see they have trial VMs, so at some point I'll have to try that out. Thanks for pointing it out, at least!


They sure do:


@seanthegeek the might be an alternate place to seek help as well.

1 Like

From the reddit site:
[they seem to have gotten more information that we did]
[ that one is close to me :slight_smile: ]


That's the weird thing: Pervious requests had used the plain http challenge, so I was able to proxy the challenge without an issue. Somehow, that has changed to a TLS challenge, and I have no idea why. I hadn't changed any ACME config or updated firmware between my last successful renewal of an existing ACME cert and creating this new one.

My nginx configuration worked just fine until the challenge switched, which is what I was trying to get across earlier. I opened this thread to find out more about Let's Encrypt error messages, because that one seems vague. I can't find anything in the FortiGate CLI about setting a challenge type, so I'll open a support case with them.

1 Like

Did it, or what is it a redirect from HTTP (Port 80) to HTTPS (Port 443)?

1 Like

It's possible the Fortigate changed what challenge type it used? Have you upgraded its firmware?


I can confirm [using a 60F with 7.2.4 code] that it doesn't do TLS-ALPN-01.

[who can spot a 60D in the picture? - lol]
Which circles back around to something redirecting the HTTP to HTTPS.


Already answered: No.
[7.2.4 is the latest]


Again: That is going in the wrong direction.
[See: Step #1 above.]


Sorry @rg305 I cannot spot a 60D, but I can get your left thumb print scan :rofl:

clue: It's the only other obvious firewall in the picture - LOL
[the gray to the left is also a firewall - CP model ST-5 - aka Smart-1 205]


The focus and depth of field make it hard for me to read on the upper left of the photograph.
Thus I could not read it's MAC.

1 Like

Would remote error: tls: no application protocol ever show up with a HTTP-01 challenge, or just ALS-ALPN?I created this thread to get an idea of what that error means, because to me that is rather vague. Knowing exactly what that error means would be super helpful.

A redirect wouldn't change an HTTP-01 challenge to a TLS-ALPN-01 challenge.

My guess is that if the firewall itself didn't change, something in front of the firewall (that previously just passed through TLS and is now doing something nosier) did.