Description

This article describes the checklist of items for FortiGate to facilitate Let's Encrypt ACME certificate provisioning.

Scope

FortiGate v7.0+

Solution

Complete checklist and limitations for Let's Encrypt ACME certificate provisioning:

1. Port 80 and port 443 must be open 'temporarily' on the desired wan interface, and not used or published through a VIP/Server Load-Balance/SSLVPN or another service on FortiGate. Test by accessing both 'http://www.domain.com' and 'https://www.domain.com' (both should present the login prompt of FortiGate). Do not test by accessing http://x.x.x.x or https://x.x.x.x  (domain IP). This is not used in the verification process. The domain name must be owned and it must be associated with the public IP used by FortiGate (and after certificate provisioning, by the future web server).
2. The WAN interface must have HTTPS and HTTP under 'allowaccess' (Loopback interface not supported, SDWAN not supported).

• For multivdom setups, the wan interface must be in the management VDOM.

3. HTTP to HTTPS redirect must be disabled (temporarily) from System -> Settings -> Administration settings.
4. Local-in policies must not block traffic from ACME servers (USA location - mind if GeoIP is used).
5. Trusted-hosts for admin access to FortiGate must be temporarily removed to allow this external access to the ACME challenge.
6. Time-zone and time should be set correctly (NTP updated), according to the area where the IP is recorded.
7. Make sure 'dedicated-to management' is not enabled, as this will send this management traffic over the mgmt interface instead.
8. If the FortiGate is a VM, there are additional checks to be performed, and improvements have been introduced from v7.6.1
9. Check the routing table and run a packet capture because the traffic to the ACME servers needs to be via the interface associated with the public IP used by FortiGate. Example: If WAN1 is used for the ACME certificate and the outgoing traffic is via WAN2 to reach the ACME servers, the certificate provisioning will fail. If the outgoing traffic is via the incorrect WAN interface, the workaround is to set a lower Administrative Distance for the link that needs to reach the ACME servers or temporarily disable the other ISP link.

Note: Starting from FortiOS 7.6.3 version ACME External Account Binding (EAB) feature added to allow domain ownership verification with the new account requests. For more information, see ACME External Account Binding support - FortiGate 7.6.0.

Related articles:

Troubleshooting Tip: FortiGate is unable to obtain Lets Encrypt Certificate

Technical Tip: ACME certificate with certificate management services other than Let's Encrypt on v7....

Technical Tip: Meaning of the error message 'Error creating a new order :: too many certificates alr...

Technical Tip: ACME renewal error 'The timeout specified has expired'

Troubleshooting Tip: ACME error message 'Unsuccessful in contacting ACME server at https://acme-v02....

Technical Tip: ACME certificate enrollment with SSL VPN

Technical Tip: ACME certificate showing not secure

Technical Tip: ACME renewal error 'The timeout specified has expired'

Troubleshooting Tip: Let’s Encrypt certificate did not automatically renew

Technical Tip: Acme on the FortiGate causes Security Compliance Checks to Fail

Techinical Tip: Creating ACME Certificate via CLI on Mutliple VDOM

Technical Tip: Let's Encrypt ACME expired certificate offline renew

ACME certificate support