Technical Tip: ACME certificate showing not secure

Description

This article describes the reasons why after creating an ACME certificate from FortiGate, the browser shows the page is not secure.

Scope

FortiOS 7.0+.

Behavior not observed recently.

Solution

After creating the server certificates for secure administrator login to the FortiGate the browser will show a not secure page.

The browser does not trust the certificate issuer.

Firefox : sec_error_unknown_issuer
Chrome : NET::ERR_CERT_AUTHORITY_INVALID

On the firewall, it is possible to see staging.

Remove the staging from the certificate:

FortiGate-VM # config vpn certificate local

FortiGate-VM(local) edit test

config vpn certificate local

    edit "test"

        set password XXX

        set comments "Renewed with ACME on Wed Oct 27 17:13:11 2021 (UTC)"

        set range global

        set enroll-protocol acme2

        set acme-ca-url https://acme-staging-v02.api.letsencrypt.org/directory   <-- Remove the staging.

        set acme-domain "agamtest.cloudem.cloud"

        set acme-email "tomer.grinberg@cloudem.co.il"

    next

end

The correct URL looks like:

https://acme-v02.api.letsencrypt.org/directory 

This is because the certificate that is created uses Let’s Encrypt staging (test server) so the cert created for the domain has been issued by a fake CA.

This Let’s Encrypt staging server should be used just to test that the client is working fine and can generate the challenges, and certificates, but to create a valid cert, it is necessary to use the right server in the letsencrypt-auto command.

For staging, it is:

--server https://acme-staging.api.letsencrypt.org/directory

For production, it is:

--server https://acme-v01.api.letsencrypt.org/directory

If a server, is not specified, it defaults to production and to use staging, specify the server for staging or just use one of these switches (--test-cert or --staging).