FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pachavez
Staff
Staff
Article Id 245610
Description

This article describes how to resolve issues with Let’s Encrypt certificate auto-renewal.

Scope FortiGate, Let's Encrypt Certificates, ACME certificate.
Solution

ACME certificate support is a new feature introduced in FortiOS 7.0

 

There are 3 requirements for the Let's Encrypt certificate auto-renewal:

 

If SSL VPN is enabled on the FortiGate and the ACME listening interface is the same as the SSL VPN port, additional requirements must be applied to avoid port conflict.

 

Ensure no local-in policies are configured to block traffic on ports 443 and 80.

 

Disable https-redirect settings on the SSL VPN settings or change SSL VPN port 443 to a non-default port so it does not conflict with the ACME port 443.


config vpn ssl settings
    set https-redirect disable   <- Disable https-redirect so ACME and SSL VPN will be able to use the same port 443.
    set port 10443 <- Alternatively, change the SSL VPN port to a different port.
end

 

If an active Virtual IP is used for a Static NAT or Port Forwarding on port 443 that uses the IP address as the ACME listening interface, this will prevent the certificate from being renewed. Change the External Virtual IP or the External Service port in the Port Forwarding so it does not conflict with ACME port 443.

 

Related article:

Technical Tip: ACME certificate enrollment with SSL VPN.

 

If all of the requirements described above have been satisfied but the certificate auto-renewal is still not taking place, run the following commands in FortiGate. If FortiGate is set up in HA, run the following commands on all HA cluster members:

 

  1. Check ACME status :


get system acme status
get system acme acc-details

 

  1. To force config regeneration and certificate renewal:

 

diagnose sys acme regenerate-client-config
diagnose sys acme restart

 

  1. Wait 2-3 minutes, and check the certificate status:

 

get vpn certificate local details <Local certificate name>

diagnose sys acme status-full <Certificate’s CN domain>

 

To change the ACME listening interface/source-ip:

 

config system acme

    set interface <interface-name>

    set source-ip <ipv4-address>

end

 

Increase window size (acme-renew-window) for ACME renewal. By default, the acme-renew-window settings are set to 30:


config vpn certificate local
    edit <ACME_certificate_name>
        set acme-renew-window 30
end

 

This means that the ACME certificate will renew 30 days before expiration, not after 30 days.
Let's Encrypt issues certificates that last 90 days, for example, to renew after 30 days need to change the renew window value to 60:

Use the following commands to increase the window size for ACME renewal:


config vpn certificate local
    edit <ACME_certificate_name>
        set acme-renew-window 1
end

 

If the issue persists, remove the reference configuration of the ACME certificate (in case the certificate is currently used in SSL VPN or admin-server certificate settings). It is possible to temporarily change the ACME certificate in SSL VPN or admin-server certificate to the built-in Fortinet certificate of FortiGate, then force config regeneration and certificate renewal:

 

diagnose sys acme regenerate-client-config
diagnose sys acme restart

 

Sample output when the ACME certificate is renewed:

 

get vpn certificate local details acme-cert
== [ acme-cert ]
Name: acme-cert
Subject: CN = test.ftntlab.de
Issuer: C = US, O = Let's Encrypt, CN = R3
Valid from: 2023-02-13 05:00:45 GMT
Valid to: 2023-05-14 05:00:44 GMT

Fingerprint: 9A:03:0F:41:29:D7:01:45:04:F3:16:C0:BD:63:A2:DB
Serial Num: 03:d3:55:80:d2:e9:01:b4:ca:80:3f:2e:fc:24:65:ad:7c:0c

ACME details:
Status: The certificate for the managed domain has been renewed successfully and can be used from Mon, 13 Feb 2023 20:51:14 GMT on.
Staging status: Nothing in staging

 

diagnose sys acme status-full test.ftntlab.de
{
"name": "test.ftntlab.de",
"finished": true,
"notified": false,
"next-run": "Mon, 13 Feb 2023 20:51:14 GMT",
"last-run": "Mon, 13 Feb 2023 06:00:37 GMT",
"valid-from": "Mon, 13 Feb 2023 20:51:14 GMT",
"errors": 0,
"last": {
"status": 0,
"detail": "The certificate for the managed domain has been renewed successfully and can be used from Mon, 13 Feb 2023 20:51:14 GMT on.",
"valid-from": "Mon, 13 Feb 2023 20:51:14 GMT"
},
"log": {
"entries": [
{
"when": "Mon, 13 Feb 2023 06:00:46 GMT",
"type": "finished"
},
{
"when": "Mon, 13 Feb 2023 06:00:46 GMT",
"type": "progress",
"detail": "The certificate for the managed domain has been renewed successfully and can be used from Mon, 13 Feb 2023 20:51:14 GMT on."
},
{
"when": "Mon, 13 Feb 2023 06:00:46 GMT",
"type": "progress",
"detail": "Retrieving certificate chain for test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:45 GMT",
"type": "progress",
"detail": "Waiting for finalized order to become valid"
},
{
"when": "Mon, 13 Feb 2023 06:00:45 GMT",
"type": "progress",
"detail": "Submitting CSR to CA for test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:45 GMT",
"type": "progress",
"detail": "Creating CSR for test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:45 GMT",
"type": "progress",
"detail": "Finalizing order for test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:44 GMT",
"type": "progress",
"detail": "Waiting for order to become ready"
},
{
"when": "Mon, 13 Feb 2023 06:00:44 GMT",
"type": "progress",
"detail": "Monitoring challenge status for test.ftntlab.de: domain authorization for test.ftntlab.de is valid"
},
{
"when": "Mon, 13 Feb 2023 06:00:41 GMT",
"type": "progress",
"detail": "Monitoring challenge status for test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:41 GMT",
"type": "progress",
"detail": "Setting up challenge 'http-01' for domain test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:40 GMT",
"type": "progress",
"detail": "Starting challenges for domains"
},
{
"when": "Mon, 13 Feb 2023 06:00:39 GMT",
"type": "progress",
"detail": "Creating new order"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "progress",
"detail": "Creating new ACME account for test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "progress",
"detail": "Selecting account to use for test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "progress",
"detail": "Driving ACME protocol for renewal of test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "progress",
"detail": "Resetting staging for test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "progress",
"detail": "Contacting ACME server for test.ftntlab.de at https://acme-v02.api.letsencrypt.org/directory"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "progress",
"detail": "Assessing current status"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "progress",
"detail": "Resetting staging area"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "progress",
"detail": "Checking staging area"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "starting"
}
]
}
}

 

In FortiOS version 7.2.6, run the following configuration in the CLI to renew the certificate:

 

config vpn certificate local

edit <acme_cert>

set acme-rsa-key-size 4096

end

end

 

After, restart the ACME process with the following command:

 

diagnose sys acme restart

 

Note:

If the FortiGate is not reachable on ports 80 or 443, it will be possible to see the timeout renewal failures.

It is possible to validate that the FortiGate/ACME service is reachable on these ports from another device.

For example, from an external server, it is possible to test with 'telnet' or 'curl' commands:

 

TELNET:

 

user@server:~$ telnet vpn.domain.net 80
user@server:~$ telnet vpn.domain.net 443

 

Output indicating the TCP connection has been established:

 

user@server:~$ telnet vpn.domain.net 80
Trying 12.34.56.78.
Connected to vpn.domain.net
Escape character is '^]'.


CURL:

 

user@server:~$ curl http://vpn.domain.net
user@server:~$ curl https://vpn.domain.net

 

Output showing the acme service is reachable on the FortiGate:

 

user@server:~$ curl http://vpn.domain.net
<!DOCTYPE html><html><head><title>ACME Access Only</title></head><body>ACME Access Only</body></html>w

 

If the ports do not show as reachable, it is recommended to trace the connection upstream to see what is preventing access to the FortiGate on these ports.

 

Related articles:

Technical Tip: Expiring Let’s Encrypt Certificates

ACME certificate support

ACME certificate support