Unable to create Automated Provision Certificate with Fortigate

Hello, I tried to follow intructions from Fortinet to be able able to create an automated Certificate for SSL VPN purpose but it's not working...

Requirements were : Public IP address with Hostname in DNS and it's ok
ACME interface without VIPS or port forwarding in 80 and 443, that's why I choose my second WAN link where there is nothing about that.

My domain is: ssl-vpn.heligrafics.net

I ran this command: It's all automatized by Fortigate, put my domain the name of the certificate and an email address.

It produced this output:

2023/08/10 12:02:50 Invalid response from http://sslvpn.heligrafics.net/.well-known/acme-challenge/QaFaXoK7wKBvvwm1bIL87WGF5NZqmlDsJAQs29FK3ME: 404
2023/08/10 12:02:50 Starting challenges for domains: Invalid response from http://sslvpn.heligrafics.net/.well-known/acme-challenge/QaFaXoK7wKBvvwm1bIL87WGF5NZqmlDsJAQs29FK3ME: 404, problem: urn:ietf:params:acme:error:unauthorized
2023/08/10 12:02:49 Starting challenges for domains
2023/08/10 12:02:49 Loaded order from staging
2023/08/10 12:02:48 Selecting account to use for sslvpn.heligrafics.net
2023/08/10 12:02:48 Driving ACME protocol for renewal of sslvpn.heligrafics.net
2023/08/10 12:02:47 Contacting ACME server for sslvpn.heligrafics.net at https://acme-v02.api.letsencrypt.org/directory
2023/08/10 12:02:47 Assessing current status
2023/08/10 12:02:47 Checking staging area
2023/08/10 12:02:47 Starting challenges for domains

From my fortigate I can ping lets encrypt without any problem, if someone can help on that topic It would be awesome !

Many thanks.

1 Like

Hi @Dam, and welcome to the LE community forum :slight_smile:

From the logs, I see: "sslvpn.heligrafics.net"

Q#1: What IP is on that second WAN link?
Q#2: What version of FortiOS?


when actually visit that page:

If you see this page it is because you have reached the default website.

This should not happen under normal circumstances. Probably you are trying to access your website using a name which has not been configured on your website, or your DNS record is not pointing to the right server.

think fortigate doesn't know about that subdomain?


Wow, this community is faster than the light ! haha

Yes, it was sslvpn.heligrafics.net, I added this DNS entry to my domain.

1 :
2 : We have the 7.0.11 right now

Many thanks rg !

1 Like


I just created an entry DNS resolving my Public IP, this hostname has to have a website page on it ?

Maybe I don´t understand how that thing works.


When I read the Fortinet Documentation I don´t have the sensation to have to more that what I did,

Many thanks guys !

1 Like

reading it makes me think that fortigate client is looking at forigate's hostname setup and only sign for that name?

add sslvpn subdomain as written there?


FortiOS does things a bit non-standard for ACME.


What do you show in System Settings for ACME Interface?:



We have a virtual wan link, 2 differents providers. I put WAN2 as this one is not using VIP nor port forwarding as describe in the documentation :

"The configured ACME interface must be public facing so that the FortiGate can listen for ACME update requests. It must not have any VIPs, or port forwarding on port 80 (HTTP) or 443 (HTTPS)."

What is the IP on that WAN2 link?

2 Likes as I told you before

Thanks !

Speak with Fortinet support.
IIRC, there was a problem with ACME and multiple WAN interfaces.
I don't remember which FortiOS was affected, nor which version fixes that problem.



As you said on Friday I sent a support case to Fortinet, let's see what they will answer !

Keep you in touch !

1 Like

Any news?


Hello @rg305, the support is very long to respond, they asked me for the configuration and I'm waiting...

Many thanks

1 Like

Hello ! The problem is solved, I had a firewall rule using the port 443, the port which is using ACME, so we were able to make it work at the moment that we find it.

Nothing worked with the WAN2 so we did it with the WAN 1 !

Many thanks for your help everyone.

Have a nice day

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.