Skip to main content
AlexC-FTNT
Staff
AlexC-FTNT
Staff
December 5, 2024

Troubleshooting Tip: ACME certificate provisioning

  • December 5, 2024
  • 0 replies
  • 7288 views
Description

 

This article describes the checklist of items for FortiGate to facilitate Let's Encrypt ACME certificate provisioning.

 

Scope

 

FortiGate v7.0+.

 

Solution

 

Complete checklist and limitations for Let's Encrypt ACME certificate provisioning:

  1. Port 80 and port 443 must be open 'temporarily' on the desired WAN interface, and not used or published through a VIP/Server Load-Balance/SSL VPN or another service on FortiGate. Test by accessing both 'http://www.domain.com' and 'https://www.domain.com' (both should present the login prompt of FortiGate). Do not test by accessing http://x.x.x.x or https://x.x.x.x  (domain IP).
    This is not used in the verification process. The domain name must be owned, and it must be associated with the public IP used by FortiGate (and after certificate provisioning, by the future web server). If SSL VPN is used on this interface with port 443, testing with 'http://www.domain.com' and https://www.domain.com' will open the login page for SSLVPN instead of the firewall admin page. So, either the port number needs to be changed or a different interface for the ACME provisioning. 

  2. The WAN interface must be set under the ACME settings; this is where challenges will be received from. The ACME settings can be accessed with the command 'get system acme'.

  3. The WAN interface must have HTTPS and HTTP under 'allowaccess' (Loopback interface not supported, SDWAN not supported).
     For multivdom setups, the WAN interface must be in the management VDOM.

  4. HTTP to HTTPS redirect must be disabled (temporarily) from System -> Settings -> Administration settings.

  5. Local-in policies must not block traffic from ACME servers (USA location - mind if GeoIP is used).

  6. Trusted-hosts for admin access to FortiGate must be temporarily removed to allow this external access to the ACME challenge.

  7. Time-zone and time should be set correctly (NTP updated), according to the area where the IP is recorded.

  8. Make sure 'dedicated-to management' is not enabled, as this will send this management traffic over the mgmt interface instead.

  9. If the FortiGate is a VM, there are additional checks to be performed, and improvements have been introduced from v7.6.1

  10. Check the routing table and run a packet capture because the traffic to the ACME servers needs to be via the interface associated with the public IP used by FortiGate. Example: If WAN1 is used for the ACME certificate and the outgoing traffic is via WAN2 to reach the ACME servers, the certificate provisioning will fail. If the outgoing traffic is via the incorrect WAN interface, the workaround is to set a lower Administrative Distance for the link that needs to reach the ACME servers or temporarily disable the other ISP link.

  11. FortiGate cannot directly apply for or issue an ACME certificate for an external web server. The built-in ACME client in FortiGate is designed exclusively to manage certificates for the FortiGate's own interfaces, such as the administrative GUI, SSL VPN, and SSL inspection functions.

  12. If VDOM is enabled on a FortiGate, ACME is currently supported only for global certificates, so ensure the external interface is part of the management VDOM.

 

Note

Starting from v7.6.3 version ACME External Account Binding (EAB) feature was added to allow domain ownership verification with the new account requests. For more information, see this document: ACME External Account Binding support.

 

Related documents:

    Terms & ConditionsAccessibility statement