FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
bvagadia
Staff
Staff
Article Id 205117

Description

 

This article describes the reasons why after creating an ACME certificate from FortiGate, the browser shows the page is not secure.

 

Scope

 

FortiOS 7.0+.

Behavior not observed recently.

 

Solution

 

After creating the server certificates for secure administrator login to the FortiGate the browser will show a not secure page.

 

The browser does not trust the certificate issuer.


Firefox : sec_error_unknown_issuer
Chrome : NET::ERR_CERT_AUTHORITY_INVALID

 

On the firewall, it is possible to see staging.

 

bvagadia_0-1645260815611.png

 

Remove the staging from the certificate:

 

FortiGate-VM # config vpn certificate local

FortiGate-VM(local) edit test

config vpn certificate local

    edit "test"

        set password XXX

        set comments "Renewed with ACME on Wed Oct 27 17:13:11 2021 (UTC)"

        set range global

        set enroll-protocol acme2

        set acme-ca-url https://acme-staging-v02.api.letsencrypt.org/directory   <-- Remove the staging.

        set acme-domain "agamtest.cloudem.cloud"

        set acme-email "tomer.grinberg@cloudem.co.il"

    next

end

 

The correct URL looks like:

https://acme-v02.api.letsencrypt.org/directory 

 

This is because the certificate that is created uses Let’s Encrypt staging (test server) so the cert created for the domain has been issued by a fake CA.

This Let’s Encrypt staging server should be used just to test that the client is working fine and can generate the challenges, and certificates, but to create a valid cert, it is necessary to use the right server in the letsencrypt-auto command.

 

For staging, it is:

 

--server https://acme-staging.api.letsencrypt.org/directory

 

For production, it is:

 

--server https://acme-v01.api.letsencrypt.org/directory

 

If a server, is not specified, it defaults to production and to use staging, specify the server for staging or just use one of these switches (--test-cert or --staging).