Hi everybody.
I have the problem of receiving a privacy error when trying to access the 60F (firmware 7.6.0) from lan.
The real problem is that blocked pages don't display the Fortigate correct blocking page.
I have done the Let's Encrypt ACME certificate and it works for connections out the lan. The privacy error is given because I use https://192.168.1.1 and the expected certificate is for xxxx.fortiddns.com (used for let's encrypt).
I have, clearly, imported Fortinet_CA_SSL certificate in user's endpoint.
I also tried to regenerate certificate and re-import it, without any change.
I have an identical device working on another site, with exactly same configuration that doesn't have this issue, I really can't undersand the reason and how solve it.
Thanks for helping.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Let's Encrypt will not give you a certificate that is valid for an IP address, so accessing the FortiGate GUI over an IP (e.g. "https://1.2.3.4") is currently impossible with a LetsEncrypt-issued certificate.
For the certificate to be considered valid, you need to use an address that is included in the Certificate's SAN field (Subject Alternative Name), which in your case will probably be the xxx.fortiddns.com.
ref: https://community.letsencrypt.org/t/why-are-ip-certificate-not-available/196022
thank you for answering.
I ask, then:
1) if you use Let's Encrypt then you can't use Fortigate's blocking pages?
2) Why another identical devices is working?
I'm confused :(
What you see in the screenshot is not a block page by FortiGate.
That's just a general certificate warning page by the browser.
But if you're trying to use a LetsEncrypt certificate for UTM blocking (e.g. webfilter), don't bother trying. You need a CA certificate for inspection, and LE will not give you that either. (nobody will, you need to make your own, either brand new, or as a part of an existing PKI/CA structure that may already be in place)
Re 2): it's simply not possible. So it cannot actually be an identical setup. Review the details again, thoroughly.
What's the let's encrypt certificate utility then?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1536 | |
1029 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.