Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
uByte
New Contributor II

Let's Encrypt STAGING certificate

Running the latest firmware on a 80f and when I try and generate a cert using let's encrypt it works but give me a STAGING cert. I have another Fortigate (60f) that I setup like 2 weeks ago and it generates a normal one. I tried downloading the CA cert from that one and importing it in  on the one that is STAGING and removing the STAGING ACME certs and it doesn't work. I still generates a STAGING cert. I know that you can specify the STAGING Cert to verify everything works before you setup a geniune one but I don't need that. Does anyone know the command to specify the cert?

Garrett Jackson
Garrett Jackson
1 Solution
pkavin
Staff
Staff

Hello everyone,

 

There was a bug introduced in FortiOS 7.0.2 where generating a new ACME certificate from GUI will result in a certificate signed by Let's Encrypt staging CA. 

 

Bug 0757130 was filed to fix the issue and the issue has been fixed in FortiOS 7.0.4 (which is yet to be released)

 

The workaround of the issue is to configure a certificate from CLI using the below commands as an example:

 

config vpn certificate local
edit "acme-test"
set enroll-protocol acme2
set acme-domain "kavin.fortiddns.com"
set acme-email "xyz@domain.com"
next

 

You can also find the bug mentioned in release notes:

 

https://docs.fortinet.com/document/fortigate/7.0.3/fortios-release-notes/236526/known-issues

Kavin

View solution in original post

4 REPLIES 4
mhe
Contributor II

I'm facing the same issue. Any solutions?

 

 

ebadger
New Contributor

Was there a fix for this issue, I have 3 different sites now doing the same thing, only issuing from (STAGING) Let's Encrypt

uByte
New Contributor II

Still haven't figured it out. Luckily there was not a need for me to get this working for the client. I realized that it needs to be addressed.  The simple fact that there are other people that are experiencing the same things is comforting to know that I am not the only one. I wish there was a fix. Might have to submit a ticket to get it looked at and possibly a bug report. Has anyone ever had to submit a bug to FortiNet before?

Garrett Jackson
Garrett Jackson
pkavin
Staff
Staff

Hello everyone,

 

There was a bug introduced in FortiOS 7.0.2 where generating a new ACME certificate from GUI will result in a certificate signed by Let's Encrypt staging CA. 

 

Bug 0757130 was filed to fix the issue and the issue has been fixed in FortiOS 7.0.4 (which is yet to be released)

 

The workaround of the issue is to configure a certificate from CLI using the below commands as an example:

 

config vpn certificate local
edit "acme-test"
set enroll-protocol acme2
set acme-domain "kavin.fortiddns.com"
set acme-email "xyz@domain.com"
next

 

You can also find the bug mentioned in release notes:

 

https://docs.fortinet.com/document/fortigate/7.0.3/fortios-release-notes/236526/known-issues

Kavin
Labels
Top Kudoed Authors