Alby23
Contributor II

Let's Encrypt and FortiGate

Do u know if it's possible to use a Let's Encrypt-generated certificate into the FortiGate for the VPN Portal?

5 Solutions
mhe
Contributor

No, I don't think that you can use LE certificates. You need their app on the device to use it. But you can use startssl

View solution in original post

emnoc
Esteemed Contributor III

Mhe has it right.

 

Natively the answer is NO, but you have ways around this. Use a linux bistro build a csr/priv-key sign the csr and then export , re-import it in fortigate.

 

Yes any x509 compatible certificate will work in  a fortigate but the native means of "let's encrypt" make it not a 1 2 3  easy-do  method.

PCNSE 

NSE 

StrongSwan  

View solution in original post

NeilG

The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.

"Our certificates are valid for 90 days. You can read about why here."

https://letsencrypt.org/docs/faq/

 

-N

View solution in original post

jtfinley

So here's what I did using a raspberry pi, but can be easily used on other platforms...

 

 

[ol]
  • Install letsencrypt (https://letsencrypt.org/getting-started) on a box with tcp/80, tcp/443 open. (Raspberry Pi - used CertBot)
  • Temporarily point a DNS A or CNAME record of your (Raspberry Pi Box) SSL VPN at the box you're going to run letsencrypt on.
  • Once it pulls dependencies - Run letsencrypt using example below.
  • [ol]
  •  ./certbot-auto certonly --standalone -d vpn.yoursite.com -d [[/ol]
  • Change DNS records if required by pointing your DNS A record back at your SSL VPN IP
  • Grab your pems from /etc/letsencrypt/live/vpn.yoursite.com (cert.pem & privkey.pem) [/ol]

    FortiGate:

    [ol]
  • System -> Config -> Certificates -> Import -> Local Certificate. Set type to Certificate. For certificate choose cert.pem and for key choose privkey.pem

  • VPN -> SSL -> Settings. Change Server Certificate.

  • Repeat process every 90 days
  • Setup CronJob to renew it.[/ol]
  • View solution in original post

    TecnetRuss

    Just updating this thread to mention that ACME/LetsEncrypt functionality is now built into FortiOS 7.0. New Features | FortiGate / FortiOS 7.0.0 | Fortinet Documentation Library Russ NSE7

    View solution in original post

    46 REPLIES 46
    emnoc
    Esteemed Contributor III

    Yes that true , it made it a lot easier with certificate and applying the  certs for multiple objects.

     

    Ken Felix

     

    PCNSE 

    NSE 

    StrongSwan  

    absmith
    New Contributor

    So I have the functionality in the script to upload the certificate and private-key however, Fortigate functionality doesn't let you overwrite the current certificate, and even if it did you would have to remove and then re-add ssl functionality to the specific service if you are overwriting the certificate.

     

    Since this is the case, I'm going to also have to write functionality to change the certificates of rules, VPN portals, Virtual servers, either into the same script or into a separate script.  Let me know if anyone is interested so far.

    cookem
    New Contributor

    sounds cool....can I get a copy of what you have so far?

    Keith_Nelson

    adam_smith@sundance.org wrote:

    So I have the functionality in the script to upload the certificate and private-key however, Fortigate functionality doesn't let you overwrite the current certificate, and even if it did you would have to remove and then re-add ssl functionality to the specific service if you are overwriting the certificate.

     

    Since this is the case, I'm going to also have to write functionality to change the certificates of rules, VPN portals, Virtual servers, either into the same script or into a separate script.  Let me know if anyone is interested so far.

    I would be interested in the script.

     

    I have been trying to figure this out for awhile but im not much of a scripter.

    You would think this would be an API they would have given all the rage of DevOPs these days.

    emnoc
    Esteemed Contributor III

     

    1: upload the  new cert and then change the useage to the new cert 

     

    2: delete the old certificate

     

    PCNSE 

    NSE 

    StrongSwan  

    absmith
    New Contributor

    there doesn't seem to be a way for me to put the file here but I am planning to put it up on github so that as it evolves people can get the latest versions.  I also am planning on releasing it with an apache v2 license, so don't worry about changing it for your own purposes and any contributions/suggestions would help.  Sorry for taking so long to post it.  I was trying to add a config file functionality that is present in the code but is not fully working yet.  However all the command line options all work.  This is a python script and relies on  fortiosapi so you will have to use that.  It was written with python3 in mind so it may or may not be reverse compatible with python2.  I actually think that it won't be reverse compatible because of the configuration file library I used changed the syntax for the library name when it moved over to python3.  With that in mind here is what I have currently.

     

    I am also planning on making it compatible with pypi so you can just do a pip install, but that isn't all in place yet.  I'll post the link as soon as I get it on github.

    absmith

    Here is the github-repo for the current version,  it's still a bit early but it does work.  The --help feature should give you all the parameters required.  I'm trying to write it to have a config file as well so that you don't need to write the whole command every time, the beginning framework is there for this in the script but is not fully tested yet so I suggest using the cli commands.  Also this works with either password or API-Key authentication.  Let me know if things aren't working for you.

    https://github.com/absmith82/fortitools

    lubyou
    New Contributor

    Fortinet could just add support for LetsEncrypt into FortiOS, the ACME protocol is open source and anybody can write a client for it.

     

    Apart from that, Fortinet already uses python in FortiOS, they could use certbot...

    absmith
    New Contributor

    I agree that would be ideal, however, that isn't currently the case, and as far as I can tell fortios doesn't allow you to access the python shell/ecosystem so in the meantime we have to work with the tools they allow us to.

    nbctcp

    https://www.loggly.com/blog/benchmarking-5-popular-load-balancers-nginx-haproxy-envoy-traefik-and-al...

    comparing traefik with others I never try your idea. I believe it will work with GUI

    but how about SSL VPN. Have you tried? I like your idea because I can use cron to renew every 90d

    * */8 * * * certbot renew --post-hook "systemctl reload nginx"

    I don't know which way is better and easier. 1. using reverse proxy 2. create a script like emnoc said 3. update cert using this method https://kb.fortinet.com/kb/documentLink.do?externalID=FD35074 4. [link]https://github.com/absmith82/fortitools[/link]

    tq

     

    peter.wickenberg wrote:

    I solved it by setting up a reverse proxy using Traefik and Letsencrypt to give me access to mgmt and SSL VPN through the proxy, that way I get automatically updated certificates for both services by bouncing it on the inside, can't say it's affecting performance either.