Skip to main content
MarTek
MarTek
Explorer II
August 25, 2023
Solved

Lets Encrypt unable to reach domain of firewall to create certificate

  • August 25, 2023
  • 2 replies
  • 14699 views

 

I am using a Fortigate 40F with FortiOS 7.4.0 build 2360, and I'm looking to create a certificate for my webgui and another certificate for my web VPN via the Let's Encrypt service the firewall provides, and I'd like to configure ACME auto renewal. I purchased a domain through CloudFlare to use for the firewall, let's call it "mydomain.com". I created an A record in the CloudFlare that points mydomain.com to the public IP address of my network, which is my Fortigate unit, as it's the router.

 

However, when I try to create a certificate for mydomain.com in the GUI, under System > Certificates > Create/Import > Certificate > Use Let's Encrypt, it errors out, stating "no valid A records found for mydomain.com; no valid AAAA records found for mydomain.com".

Edit: I read the following posts prior to posting this:
1.) https://community.fortinet.com/t5/Support-Forum/fcm-models-acme-acme-Acme-Error-A-C-M-E-Certificate-request-has/td-p/264455

2.) https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support 
What have I done wrong with the DNS configuration, and is there a better way to do this than I am trying?

Best answer by hbac

Hi @MarTek

 

Can you ping mydomain.com? Does it resolve to the FortiGate's public IP address? 

 

Please make sure https and http are enabled on the wan interface and make sure port 443 is not being used for SSL VPN or GUI access. 

2 replies

hbac
Staff
hbacAnswer
Staff
August 26, 2023

Hi @MarTek

 

Can you ping mydomain.com? Does it resolve to the FortiGate's public IP address? 

 

Please make sure https and http are enabled on the wan interface and make sure port 443 is not being used for SSL VPN or GUI access. 

    MarTek
    MarTekAuthor
    Explorer II
    August 28, 2023

    I tried pinging from my administrative desktop, however it is resolving internally as the local IP address from my DNS server. I'll try this in an online terminal instead. 

    ebilcari
    Staff
    ebilcari
    Staff
    August 27, 2023

    Basically there is a waiting time for the new DNS record to be propagated depending on the provider. In this case the DNS server of let's encrypt should have received your newly created A record before you can apply for a certificate. With FGT, only A record is needed because it will participate in the HTTP challenge.

    There is also another verification method from letsencrypt based on DNS challenge (TXT records) but that's not the case here.

      MarTek
      MarTekAuthor
      Explorer II
      August 28, 2023

      Hello,

       

      I have used Cloudflare at home for personal servers. I find that 5 minutes is the normal propagation time for their DNS, at least internally. 8 hours seemed more appropriate for my friends to reach the servers. I was doing this last Friday (3 days ago), and I tried again this morning, with no avail. This proves that I made a mistake with my DNS configuration. When I fix this, I will post a solution.

      Terms & ConditionsCookie settingsAccessibility statement