TBC
Contributor

Fortiweb Letsentcrypt

Hello @All,

 

we would like to use Letsencypt certificates for our web servers.
The web servers are addressed as an example as follows:
aa.domain.com
bb.domain.com
cc.domain.com
DNS entries are available.
Unfortunately, I can't really figure it out from the documentation.


Here now my questions:
Do I need to request a separate certificate for each domain?
Do all domains also have to be reachable via port 80?

According to the documentation, I also have to create a CAA:
You must have added "letsencrypt.org" in the CAA value if you have configured a CAA record at your DNS service. This allows Let's Encrypt to issue certificates for your domain name.

 

Where and how should this be?
Fortiweb OS is 7.0.1

 

Many thanks for helping

TBC

3 REPLIES 3
Anonymous
Not applicable

Hello @TBC , 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

   Fortinet Community Team 

Khidzir_MN
Staff
Staff

Hello @TBC,

 

Please see below replies;

 

> Do I need to request a separate certificate for each domain?

Yes.

 

>Do all domains also have to be reachable via port 80?

You may want to check Letsencrypt's article below:

1- Best Practice - Keep Port 80 Open https://letsencrypt.org/docs/allow-port-80/
2- Challenge Types - https://letsencrypt.org/docs/challenge-types/

 

>According to the documentation, I also have to create a CAA:
>You must have added "letsencrypt.org" in the CAA value if you have configured a CAA record at your DNS service. This allows Let's Encrypt to issue certificates for your domain name.
>Where and how should this be?

You need to create CAA record in your DNS system, not in the FortiWeb.
https://en.wikipedia.org/wiki/DNS_Certification_Authority_Authorization

 

Thank you.

TBC
Contributor

Hello Khidzir_MN,

thank you very much for your comments!
Since we have a few domains, this procedure is quite cumbersome.
We therefore create a Wildcard certificate via one of our servers and then play them in the Fortiweb.
I have a question about this, is there a way to renew an existing Letsencrypt certificate or assign a new one to multiple server policies, for example via console or API?

 

Many thanks in advanced

  TBC