ACME certificate support is a new feature introduced in FortiOS 7.0
There are 3 requirements for the Let's Encrypt certificate auto-renewal:
If SSL VPN is enabled on the FortiGate and the ACME listening interface is the same as the SSL VPN port, additional requirements must be applied to avoid port conflict.
Ensure no local-in policies are configured to block traffic on ports 443 and 80.
Disable https-redirect settings on the SSL VPN settings or change SSL VPN port 443 to a non-default port so it does not conflict with the ACME port 443.
config vpn ssl settings set https-redirect disable <- Disable https-redirect so ACME and SSL VPN will be able to use the same port 443. set port 10443 <- Alternatively, change the SSL VPN port to a different port. end
If an active Virtual IP is used for a Static NAT or Port Forwarding on port 443 that uses the IP address as the ACME listening interface, this will prevent the certificate from being renewed. Change the External Virtual IP or the External Service port in the Port Forwarding so it does not conflict with ACME port 443.
Related article:
Technical Tip: ACME certificate enrollment with SSL VPN.
If all of the requirements described above have been satisfied but the certificate auto-renewal is still not taking place, run the following commands in FortiGate. If FortiGate is set up in HA, run the following commands on all HA cluster members:
- Check ACME status :
get system acme status get system acme acc-details
- To force config regeneration and certificate renewal:
diagnose sys acme regenerate-client-config diagnose sys acme restart
- Wait 2-3 minutes, and check the certificate status:
get vpn certificate local details <Local certificate name>
diagnose sys acme status-full <Certificate’s CN domain>
To change the ACME listening interface/source-ip:
config system acme
set interface <interface-name>
set source-ip <ipv4-address>
end
Increase window size (acme-renew-window) for ACME renewal. By default, the acme-renew-window settings are set to 30:
config vpn certificate local edit <ACME_certificate_name> set acme-renew-window 30 end
This means that the ACME certificate will renew 30 days before expiration, not after 30 days. Let's Encrypt issues certificates that last 90 days, for example, to renew after 30 days need to change the renew window value to 60:
Use the following commands to increase the window size for ACME renewal:
config vpn certificate local edit <ACME_certificate_name> set acme-renew-window 1 end
If the issue persists, remove the reference configuration of the ACME certificate (in case the certificate is currently used in SSL VPN or admin-server certificate settings). It is possible to temporarily change the ACME certificate in SSL VPN or admin-server certificate to the built-in Fortinet certificate of FortiGate, then force config regeneration and certificate renewal:
diagnose sys acme regenerate-client-config diagnose sys acme restart
Sample output when the ACME certificate is renewed:
get vpn certificate local details acme-cert == [ acme-cert ] Name: acme-cert Subject: CN = test.ftntlab.de Issuer: C = US, O = Let's Encrypt, CN = R3 Valid from: 2023-02-13 05:00:45 GMT Valid to: 2023-05-14 05:00:44 GMT
Fingerprint: 9A:03:0F:41:29:D7:01:45:04:F3:16:C0:BD:63:A2:DB Serial Num: 03:d3:55:80:d2:e9:01:b4:ca:80:3f:2e:fc:24:65:ad:7c:0c
ACME details: Status: The certificate for the managed domain has been renewed successfully and can be used from Mon, 13 Feb 2023 20:51:14 GMT on. Staging status: Nothing in staging
diagnose sys acme status-full test.ftntlab.de { "name": "test.ftntlab.de", "finished": true, "notified": false, "next-run": "Mon, 13 Feb 2023 20:51:14 GMT", "last-run": "Mon, 13 Feb 2023 06:00:37 GMT", "valid-from": "Mon, 13 Feb 2023 20:51:14 GMT", "errors": 0, "last": { "status": 0, "detail": "The certificate for the managed domain has been renewed successfully and can be used from Mon, 13 Feb 2023 20:51:14 GMT on.", "valid-from": "Mon, 13 Feb 2023 20:51:14 GMT" }, "log": { "entries": [ { "when": "Mon, 13 Feb 2023 06:00:46 GMT", "type": "finished" }, { "when": "Mon, 13 Feb 2023 06:00:46 GMT", "type": "progress", "detail": "The certificate for the managed domain has been renewed successfully and can be used from Mon, 13 Feb 2023 20:51:14 GMT on." }, { "when": "Mon, 13 Feb 2023 06:00:46 GMT", "type": "progress", "detail": "Retrieving certificate chain for test.ftntlab.de" }, { "when": "Mon, 13 Feb 2023 06:00:45 GMT", "type": "progress", "detail": "Waiting for finalized order to become valid" }, { "when": "Mon, 13 Feb 2023 06:00:45 GMT", "type": "progress", "detail": "Submitting CSR to CA for test.ftntlab.de" }, { "when": "Mon, 13 Feb 2023 06:00:45 GMT", "type": "progress", "detail": "Creating CSR for test.ftntlab.de" }, { "when": "Mon, 13 Feb 2023 06:00:45 GMT", "type": "progress", "detail": "Finalizing order for test.ftntlab.de" }, { "when": "Mon, 13 Feb 2023 06:00:44 GMT", "type": "progress", "detail": "Waiting for order to become ready" }, { "when": "Mon, 13 Feb 2023 06:00:44 GMT", "type": "progress", "detail": "Monitoring challenge status for test.ftntlab.de: domain authorization for test.ftntlab.de is valid" }, { "when": "Mon, 13 Feb 2023 06:00:41 GMT", "type": "progress", "detail": "Monitoring challenge status for test.ftntlab.de" }, { "when": "Mon, 13 Feb 2023 06:00:41 GMT", "type": "progress", "detail": "Setting up challenge 'http-01' for domain test.ftntlab.de" }, { "when": "Mon, 13 Feb 2023 06:00:40 GMT", "type": "progress", "detail": "Starting challenges for domains" }, { "when": "Mon, 13 Feb 2023 06:00:39 GMT", "type": "progress", "detail": "Creating new order" }, { "when": "Mon, 13 Feb 2023 06:00:37 GMT", "type": "progress", "detail": "Creating new ACME account for test.ftntlab.de" }, { "when": "Mon, 13 Feb 2023 06:00:37 GMT", "type": "progress", "detail": "Selecting account to use for test.ftntlab.de" }, { "when": "Mon, 13 Feb 2023 06:00:37 GMT", "type": "progress", "detail": "Driving ACME protocol for renewal of test.ftntlab.de" }, { "when": "Mon, 13 Feb 2023 06:00:37 GMT", "type": "progress", "detail": "Resetting staging for test.ftntlab.de" }, { "when": "Mon, 13 Feb 2023 06:00:37 GMT", "type": "progress", "detail": "Contacting ACME server for test.ftntlab.de at https://acme-v02.api.letsencrypt.org/directory" }, { "when": "Mon, 13 Feb 2023 06:00:37 GMT", "type": "progress", "detail": "Assessing current status" }, { "when": "Mon, 13 Feb 2023 06:00:37 GMT", "type": "progress", "detail": "Resetting staging area" }, { "when": "Mon, 13 Feb 2023 06:00:37 GMT", "type": "progress", "detail": "Checking staging area" }, { "when": "Mon, 13 Feb 2023 06:00:37 GMT", "type": "starting" } ] } }
In FortiOS version 7.2.6, run the following configuration in the CLI to renew the certificate:
config vpn certificate local
edit <acme_cert>
set acme-rsa-key-size 4096
end
end
After, restart the ACME process with the following command:
diagnose sys acme restart
Note:
If the FortiGate is not reachable on ports 80 or 443, it will be possible to see the timeout renewal failures.
It is possible to validate that the FortiGate/ACME service is reachable on these ports from another device.
For example, from an external server, it is possible to test with 'telnet' or 'curl' commands:
TELNET:
user@server:~$ telnet vpn.domain.net 80 user@server:~$ telnet vpn.domain.net 443
Output indicating the TCP connection has been established:
user@server:~$ telnet vpn.domain.net 80 Trying 12.34.56.78. Connected to vpn.domain.net Escape character is '^]'.
CURL:
user@server:~$ curl http://vpn.domain.net user@server:~$ curl https://vpn.domain.net
Output showing the acme service is reachable on the FortiGate:
user@server:~$ curl http://vpn.domain.net <!DOCTYPE html><html><head><title>ACME Access Only</title></head><body>ACME Access Only</body></html>w
If the ports do not show as reachable, it is recommended to trace the connection upstream to see what is preventing access to the FortiGate on these ports.
Related articles:
Technical Tip: Expiring Let’s Encrypt Certificates
ACME certificate support
ACME certificate support
|