- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ACME Clarification
Hi!
In ACME certificate support see "It must not have any VIPs, or port forwarding on port 80 (HTTP) or 443 (HTTPS)". Since port-forwarding and Virtual Servers are a feature of VIP object, this text is unclear (to me).
Does the requirement refer to ALL VIPs (ie. config firewall vip), or only those with portforward=enable?
Does the requirement also include VIPs configured with realservers?
Thanks!
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, it means the VIP that has the port forward enabled over the ports 80 or 443, VIP if doesnt have port forwarding enable will apply to all ports so this will also cause issue
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
anyone at Fortinet can answer my two questions?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Alex,
For acme certificate port 443 and port 80 is going to be used so if vip is configured for port 443 or 80 then all traffic is going to dnat using vip which is going cause issue for acme.
Not for all VIP but with vip which is created using fortigate wan interface ipaddress and it will be only for port 443 and port 80.
Regarding VIP configuration.
we can configured port forward then only specific port traffic is dnat or if we disable port forwading then all traffic is DNAT to internal server means it going to be 443 and port 80 also.
In virtual server if we configured for port 443 and 80then only it going to dnat acme traffic also.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @tpatel !
if I configure a VIP with “extport” set to 443, will Fortigate use port 80 for ACME?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @AlexFerenX,
Please refer to this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Let-s-Encrypt-failing-to-provision-due-to-...
Regards,
Created on 11-10-2024 12:48 PM Edited on 11-10-2024 01:38 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
is the answer to my question is that I can force ACME to use port 80 only if I also set “admin-telnet-port 443” and exclude “telnet” from “allowaccess” on interface being used for ACME - correct?
So, similarly, if my current “management-port” is the default “443”, and “https” is excluded from “allowaccess”, as it normally would be on external interface, wouldn’t Fortigate use port 80 for ACME by default?
Thanks!