FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 193183


This article describes how to configure ACME Certificate support when simultaneously using the same port for SSL VPN. 


Related document:
ACME certificate support


When ACME certificate support is configured, select an interface that will receive and reply to ACME connections, usually this port will be the same as the SSL-VPN port.




However, if 'Redirect HTTP to SSL-VPN' setting is enabled, it will not be possible to select the same port for the ACME interface and it not be possible to move forward. If this is the case, it will be necessary to disable the setting 'Redirect HTTP to SSL VPN' on the SSL VPN settings to be able to use the same port for SSL VPN and ACME. Nevertheless, the restrictions mentioned in the Fortinet documentation linked above still maintained:



    The FortiGate must have a public IP address and a hostname in DNS (FQDN) that resolves to the public IP address. If not having a public DNS record, it is possible to use FortiGuard DDNS by following this article: Technical Tip: How to configure Dynamic DNS FortiGate.

  • The configured ACME interface must be public-facing so that the FortiGate can listen for ACME update requests. It must not have any VIPs, or port forwarding on port 80 (HTTP) or 443 (HTTPS).

  • The Subject Alternative Name (SAN) field is automatically filled with the FortiGate DNS hostname. It cannot be edited, wildcards cannot be used, and multiple SANs cannot be added.





Best Practices:

  1. Regularly Monitor ACME & Certificates: Ensure that the ACME process is running smoothly and that certificates are being renewed before expiration. Set up alerts or reminders for certificate expiry dates.

  2. Backup Configuration: Always back up the configuration before making changes. This action provides a safety net in case something goes wrong.

  3. Review Security Settings: Periodically review the security settings on the ACME and SSL-VPN interfaces. Ensure they conform to the latest best practices and recommendations.

  4. Stay Updated: Fortinet, like many vendors, frequently releases updates and patches. Ensure the device is updated to benefit from the latest features and security patches.

Integrating ACME certificate support with SSL VPN on a FortiGate device provides an automated certificate management solution, essential for maintaining secure remote access. By understanding the intricacies of the setup and adhering to best practices, administrators can ensure a seamless and secure user experience.