ACME Clarification

Forum|Forum|1 year ago
November 8, 2024
2 replies
3165 views

Hi!

In ACME certificate support see "It must not have any VIPs, or port forwarding on port 80 (HTTP) or 443 (HTTPS)". Since port-forwarding and Virtual Servers are a feature of VIP object, this text is unclear (to me).

Does the requirement refer to ALL VIPs (ie. config firewall vip), or only those with portforward=enable?

Does the requirement also include VIPs configured with realservers?

Thanks!

FortiGate

arahman

Staff

Hi, it means the VIP that has the port forward enabled over the ports 80 or 443, VIP if doesnt have port forwarding enable will apply to all ports so this will also cause issue

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support

AlexFerenXAuthor

Visitor III

Hi!
anyone at Fortinet can answer my two questions?

Thanks!

tpatel

Staff

Hello Alex,

For acme certificate port 443 and port 80 is going to be used so if vip is configured for port 443 or 80 then all traffic is going to dnat using vip which is going cause issue for acme.
Not for all VIP but with vip which is created using fortigate wan interface ipaddress and it will be only for port 443 and port 80.

Regarding VIP configuration.
we can configured port forward then only specific port traffic is dnat or if we disable port forwading then all traffic is DNAT to internal server means it going to be 443 and port 80 also.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-port-forwarding-using-FortiGate-VIPs/ta-p/196734

In virtual server if we configured for port 443 and 80then only it going to dnat acme traffic also.

AlexFerenXAuthor

Visitor III

Hi @tpatel !

if I configure a VIP with “extport” set to 443, will Fortigate use port 80 for ACME?

Thanks!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded