Skip to main content
Canapla
Canapla
New Member
March 23, 2023
Question

SSL Certificate offloading

  • March 23, 2023
  • 4 replies
  • 2341 views

Hi everybody

 

I have a Fortigate 40F that answer to an A record DNS of my domain "fortigate.example.com". Inside the local network I have a WEB server that I need for work, another A record that point to the same public IP address that answer to  api.example.com.

I have setup the virtual server that answer to the different name and I can find both, but the problem is with the certificate. With the different name I can bypass the double 80 and 443 port, but the proxy offload the SSL certificate of the fortigate to the web server and navigating to the web site I get an error couse the site api.example.com have the certificate of fortigate.example.com.

I have search online but seems it's not possible to disable the certificate offload and the SO of the fortigate doesn't support the wildcard of let's Encrypt.

Someone have an idea how to solve? I'm quite new with fortigate so please if you have a solution explain it like I am an idiot :p

4 replies

Anthony_E
Staff
Anthony_E
Staff
March 27, 2023

Hello Canapia,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
March 29, 2023

Hello Canapia,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Regards.

Best Regards
Anthony_E
Staff
Anthony_E
Staff
March 31, 2023

Hello Canapia,

 

Could you please contact our support via https://support.fortinet.com/welcome/#/

 

Regards,

Best Regards
gfleming
Staff
gfleming
Staff
March 31, 2023

Can you just confirm so I can be sure I understand you, you want to be able to reach the FortiGate on HTTPS (Web VPN, admin GUI, etc) using a hostname that points to its public IP address.

And you want to create a VIP with a web server behind it that is using another hostname but using the same IP address as the FortiGate WAN?

 

Yes this is possible! However, you need to understand that you'll need to use different ports if you want to share the same IP and port for two different servers.

 

Your FortiGate and Web Server are two different servers sharing the same IP address.

 

If you can't use a non-standard port for either the FortiGate or the Web Server, you could possibly look to using the Web Server to do some redirection for you based on the hostname. I.e. the web server could handle all port 443 connections and anything for Fortigate.example.com would get sent back to the FortiGate.

Terms & ConditionsAccessibility statement