Managing ACME certificates on Fortiweb not exposed to the internet

Question

I have a FortiWeb that is used for our QA environment that is not exposed to the internet. I need to be able to manage certificates on it automatically to avoid having to manually replace them every month as the lifecycle shortens. DNS-01 is completely manual so that's out. I tried HTTP-01 using an internal private ACME server, but the Fortiweb rejects the certificate when making the https request to the ACME server because it is signed by our internal CA.

Does anyone have a method they are happy with for managing certificates in this situation?

mschlott · Answer

Someone had suggested that I try uploading the CA certificate, but that reply got removed. My account was prevented from replying until just now, so if that was you, sorry for taking so long to get back. I have uploaded the CA certificate everywhere that I think would matter. Fortinet support says this will not help the ACME requests and I need to put a commercially signed cert on my ACME server for the FortiWeb to trust it and make the ACME request.

I think my best option is to have a server running certbot request the certificate and use ansible to make CLI calls to upload new certificates and manage the profiles. This seems risky because these commands could change after FortiWeb upgrades.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded