Technical Tip: ACME certificate with certificate management services other than Let's Encrypt on v7.0.2 and above

This article describes how to configure the ACME certificate with certificate management services other than Let's Encrypt on FortiOS v7.0.2 and later.

FortiOS v7.0.2 and later.

FortiOS v7.0 added support for configuring certificates using the ACME protocol, with options to choose either 'Let's Encrypt' or 'Other' certificate management services that use the ACME protocol. For more info, refer to the following New Features documentation that covers the initial introduction of ACME support: ACME certificate support | FortiOS 7.0.0 New Features.

For example, the following screenshot from FortiOS 7.0.1 shows the 'Other' option that can be defined during ACME configuration:

However, starting with v7.0.2, the 'Other' option is no longer available in the GUI and can now only be configured via the CLI:

v7.0.2 GUI:

v7.0.2 CLI:

Before configuring the ACME certificate, the interface must be selected under 'config system acme'. Set the interface that the FortiGate will use to communicate with the ACME server.

config system acme

    set interface "portx"

end

config vpn certificate local

    edit <certificate_name>

        set enroll-protocol acme2

        set acme-ca-url <url> <----- Enter the other ACME service's server/CA URL.

        set acme-domain <domain which resolves to FortiGate public IP address>

        set acme-email <valid email address>

    next

end

To determine the correct acme-ca-url to use, refer to the third-party ACME service's documentation. Before configuring the ACME certificate, the interface must be selected in config system acme. Set the interface that the FortiGate will use to communicate with the ACME server

Update: As of FortiOS v7.6.3, support has been added for ACME External Account Binding (EAB), which allows administrators to associate an ACME account with an existing account for a non-ACME Certificate Authority. This feature is currently available through the CLI only:

config vpn certificate local

    edit <name>
        set acme-eab-key-id <key>
        set acme-eab-key-hmac <HMAC>

    next
end

Note 1: The current ACME implementation supports only a single domain per certificate.

Note 2: There is a known issue in FortiOS 7.6.4 + where setting acme-eab-key-hmac results in the following error:

set acme-eab-key-hmac "DeGr0jpQkZ1hqMVskqpe99dsyyPUM-SS77qqQQTTMM88-yy331kf2DOzmG6dg96aM3-HuHi_OVELPsBFQSLNJw"
Invalid EAB HMAC string. (Must be base64url encoded)
node_check_object fail! for acme-eab-key-hmac DeGr0jpQkZ1hqMVskqpe99dsyyPUM-SS77qqQQTTMM88-yy331kf2DOzmG6dg96aM3-HuHi_OVELPsBFQSLNJw
value parse error before 'DeGr0jpQkZ1hqMVskqpe99dsyyPUM-SS77qqQQTTMM88-yy331kf2DOzmG6dg96aM3-HuHi_OVELPsBFQSLNJw.

As a workaround, download the configuration file, manually add the acme-eab-key-id and acme-eab-key-hmac values to the configuration, and then restore the updated configuration.  This behavior is under active investigation by Fortinet R&D (Reference ID 1251941). Fix versions/details will be provided once available.

Related documents:

• Technical Tip: ACME certificate showing not secure
• Troubleshooting Tip: ACME certificate provisioning
• ACME certificate support | FortiOS 7.0.0 New Features
• ACME External Account Binding support | FortiOS 7.6.0 New Features