Created on
02-19-2022
04:41 AM
Edited on
12-05-2024
02:06 AM
By
Jean-Philippe_P
Description
This article describes the reasons why after creating an ACME certificate from FortiGate, the browser shows the page is not secure.
Scope
FortiOS 7.0+.
Behavior not observed recently.
Solution
After creating the server certificates for secure administrator login to the FortiGate the browser will show a not secure page.
The browser does not trust the certificate issuer.
Firefox : sec_error_unknown_issuer
Chrome : NET::ERR_CERT_AUTHORITY_INVALID
On the firewall, it is possible to see staging.
Remove the staging from the certificate:
FortiGate-VM # config vpn certificate local
FortiGate-VM(local) edit test
config vpn certificate local
edit "test"
set password XXX
set comments "Renewed with ACME on Wed Oct 27 17:13:11 2021 (UTC)"
set range global
set enroll-protocol acme2
set acme-ca-url https://acme-staging-v02.api.letsencrypt.org/directory <-- Remove the staging.
set acme-domain "agamtest.cloudem.cloud"
set acme-email "tomer.grinberg@cloudem.co.il"
next
end
The correct URL looks like:
https://acme-v02.api.letsencrypt.org/directory
This is because the certificate that is created uses Let’s Encrypt staging (test server) so the cert created for the domain has been issued by a fake CA.
This Let’s Encrypt staging server should be used just to test that the client is working fine and can generate the challenges, and certificates, but to create a valid cert, it is necessary to use the right server in the letsencrypt-auto command.
For staging, it is:
--server https://acme-staging.api.letsencrypt.org/directory
For production, it is:
--server https://acme-v01.api.letsencrypt.org/directory
If a server, is not specified, it defaults to production and to use staging, specify the server for staging or just use one of these switches (--test-cert or --staging).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.