Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
AlexC-FTNT
Staff
Staff

Created on ‎12-05-2024 03:57 AM

Article Id 362636

Troubleshooting Tip: ACME certificate provisioning

Description

 

This article describes the checklist of items for FortiGate to facilitate Let's Encrypt ACME certificate provisioning.

 

Scope

 

FortiGate v7.0+

 

Solution

 

Complete checklist and limitations for Let's Encrypt ACME certificate provisioning:

  1. Port 80 and port 443 must be open 'temporarily' on the desired wan interface, and not used or published through a VIP/Server Load-Balance/SSLVPN or another service on FortiGate. Test by accessing both 'http://www.domain.com' and 'https://www.domain.com' (both should present the login prompt of FortiGate). Do not test by accessing http://x.x.x.x or https://x.x.x.x  (domain IP). This is not used in the verification process. The domain name must be owned and it must be associated with the public IP used by FortiGate (and after certificate provisioning, by the future web server).
  2. The WAN interface must have HTTPS and HTTP under 'allowaccess' (Loopback interface not supported, SDWAN not supported).
  • For multivdom setups, the wan interface must be in the management VDOM.
  1. HTTP to HTTPS redirect must be disabled (temporarily) from System -> Settings -> Administration settings.
  2. Local-in policies must not block traffic from ACME servers (USA location - mind if GeoIP is used).
  3. Trusted-hosts for admin access to FortiGate must be temporarily removed to allow this external access to the ACME challenge.
  4. Time-zone and time should be set correctly (NTP updated), according to the area where the IP is recorded.
  5. Make sure 'dedicated-to management' is not enabled, as this will send this management traffic over the mgmt interface instead.
  6. If the FortiGate is a VM, there are additional checks to be performed, and improvements have been introduced from v7.6.1

 

Related articles:

Troubleshooting Tip: FortiGate is unable to obtain Lets Encrypt Certificate

Technical Tip: ACME certificate with certificate management services other than Let's Encrypt on v7....

Technical Tip: Meaning of the error message 'Error creating a new order :: too many certificates alr...

Technical Tip: ACME renewal error 'The timeout specified has expired'

Troubleshooting Tip: ACME error message 'Unsuccessful in contacting ACME server at https://acme-v02....

Technical Tip: ACME certificate enrollment with SSL VPN

Technical Tip: ACME certificate showing not secure

Technical Tip: ACME renewal error 'The timeout specified has expired'

Troubleshooting Tip: Let’s Encrypt certificate did not automatically renew

Technical Tip: Acme on the FortiGate causes Security Compliance Checks to Fail

Techinical Tip: Creating ACME Certificate via CLI on Mutliple VDOM

Technical Tip: Let's Encrypt ACME expired certificate offline renew

ACME certificate support

Labels:
181
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.