Description
This article describes how to configure ACME Certificate support when simultaneously using the same port for SSL-VPN.
This article describes how to configure ACME Certificate support when simultaneously using the same port for SSL-VPN.
Related document.
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support
Solution
When ACME certificate support is configured, select an interface which will receive and reply to ACME connections, usually this port will be the same as the SSL-VPN port.
However, if 'Redirect HTTP to SSL-VPN' setting is enabled, it will not be possibe to select the same port for the ACME interface and you will not be able to move forward.
If this is the case, it will be necessary to disable the setting 'Redirect HTTP to SSL-VPN' on the SSL-VPN settings to be able to use the same port for SSL-VPN and ACME.
Nevertheless, the restrictions mentioned on the Fortinet documentation linked above still maintain:
- The FortiGate must have a public IP address and a hostname in DNS (FQDN) that resolves to the public IP address.- The configured ACME interface must be public facing so that the FortiGate can listen for ACME update requests. It must not have any VIPs, or port forwarding on port 80 (HTTP) or 443 (HTTPS).
- The Subject Alternative Name (SAN) field is automatically filled with the FortiGate DNS hostname. It cannot be edited, wildcards cannot be used, and multiple SANs cannot be added.
