Let's Encrypt and FortiGate

Forum|Forum|9 years ago
December 13, 2016
4 replies
139970 views

Do u know if it's possible to use a Let's Encrypt-generated certificate into the FortiGate for the VPN Portal?

Best answer by TecnetRuss

Just updating this thread to mention that ACME/LetsEncrypt functionality is now built into FortiOS 7.0. New Features | FortiGate / FortiOS 7.0.0 | Fortinet Documentation Library Russ NSE7

Iescudero

New Member

Hello!

The answer is yes! of course you can use any certificate that want, just be carefull how you create the certificate and the CA chain must be present. If the CA is present in the browser's client, then you'll be fine.

Bye!

Alby23Author

New Member

I'm talking specifically about Let's Encrypt. It's something different in the way you create the Certificate (and of course the CA us trusted).

Nils

New Member

From my understanding, you just need to have a web-server available when you create the certificate to verify ownership of the domain-name/IP. Just create a CSR on the Fortigate first.

Then you'll get a regular certificate to import at your fortigate..?

Infantryman

New Member

Yes, it is. It is even possible with a self-signed certificate.

1- Go under: System --> Certificates then Import your certificate & CA.

2- Go under: VPN --> SSL --> Settings --> Connection Settings --> Server Certificate then choose the Let's Encrypt certificate.

cookem

New Member

anyone have any luck creating a script for automated cert renewal?

peter_wickenberg

New Member

I solved it by setting up a reverse proxy using Traefik and Letsencrypt to give me access to mgmt and SSL VPN through the proxy, that way I get automatically updated certificates for both services by bouncing it on the inside, can't say it's affecting performance either.

Kangming

Staff

V7.0 already supports "Let's Encrypt", you can try it.

https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support

trump26901

New Member

has anyone tested the new LE ACME client to see if it is functional with the built-in DDNS function of fortigate where the device has a dns name of [customname].fortiddns.com ?

I tried it and am getting:

"detail": "Contacting ACME server for [customname].fortiddns.com at https://acme-v02.api.letsencrypt.org/directory: The ACME server at <https://acme-v02.api.letsencrypt.org/directory> reports that Service is Unavailable (503). This may happen during maintenance for short periods of time."

But it doesn't appear to be short-term and I can't figure what rule I might be missing to allow this traffic which I assume is getting blocked.

edit: FYI: it took about 20 minutes, but it did actually update and work. I won't delete this post so others know.

TecnetRuss

Visitor III

Yep, it works with fortiddns.com or float-zone.com dynamic DNS names just fine although as you noticed it does take a few minutes to complete the process during which you may see errors. I can confirm it's also fine if you have already SSL-VPN enabled on port 443 - that doesn't interfere with the ACME process.

I'm waiting to confirm that the renewal process works and that it correctly replaces the expired certificate in all the places it can get bound, e.g. admin interface, SSL-VPN, "Protect Server" SSH-SSL inspection profile, etc.

Russ

NSE7