Hi!
In ACME certificate support see "It must not have any VIPs, or port forwarding on port 80 (HTTP) or 443 (HTTPS)". Since port-forwarding and Virtual Servers are a feature of VIP object, this text is unclear (to me).
Does the requirement refer to ALL VIPs (ie. config firewall vip), or only those with portforward=enable?
Does the requirement also include VIPs configured with realservers?
Thanks!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi, it means the VIP that has the port forward enabled over the ports 80 or 443, VIP if doesnt have port forwarding enable will apply to all ports so this will also cause issue
https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support
Hi!
anyone at Fortinet can answer my two questions?
Thanks!
Hello Alex,
For acme certificate port 443 and port 80 is going to be used so if vip is configured for port 443 or 80 then all traffic is going to dnat using vip which is going cause issue for acme.
Not for all VIP but with vip which is created using fortigate wan interface ipaddress and it will be only for port 443 and port 80.
Regarding VIP configuration.
we can configured port forward then only specific port traffic is dnat or if we disable port forwading then all traffic is DNAT to internal server means it going to be 443 and port 80 also.
In virtual server if we configured for port 443 and 80then only it going to dnat acme traffic also.
Hi @tpatel !
if I configure a VIP with “extport” set to 443, will Fortigate use port 80 for ACME?
Thanks!
Hi @AlexFerenX,
Please refer to this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Let-s-Encrypt-failing-to-provision-due-to-...
Regards,
Created on 11-10-2024 12:48 PM Edited on 11-10-2024 01:38 PM
is the answer to my question is that I can force ACME to use port 80 only if I also set “admin-telnet-port 443” and exclude “telnet” from “allowaccess” on interface being used for ACME - correct?
So, similarly, if my current “management-port” is the default “443”, and “https” is excluded from “allowaccess”, as it normally would be on external interface, wouldn’t Fortigate use port 80 for ACME by default?
Thanks!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.