Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FortiNet_Newb
Contributor

FortiClient EMS with Let'sEncrypt ACME Renewal Configuration

We are using FortiClient EMS to manage all of our endpoints and would like to get a better process of renewing the EMS server’s certificate.

 

One of the requirements to using a Let’sEncrypt ACME certificate with the auto renew feature enabled is to leave the EMS Server accessible to the internet via ports 80 AND 443.  Unfortunately, by allowing traffic over port 443, this also leaves the EMS Server’s administration sign in page exposed to the internet.

Is there any way to prevent access to the EMS server’s login page while also using the certificate auto-renew feature?  Unfortunately, Let’sEncrypt does not publicize their IP ranges to be able to restrict access over 443 only from certain IP’s.

 

Currently, we are temporarily allowing the necessary access while we manually renew the certificate and then reverting the changes to block it once the certificate is renewed.  This defeats the purpose of automatic renewal.

 

What are others doing to handle this?  There doesn’t appear to be a way to change the administration pages port to anything other than 443 if the certificate renewal is on.

 

Thanks!

3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Hello,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Anthony-Fortinet Community Team.
FortiNet_Newb
Contributor

Just tested and found out that it seems that while the EMS documentation states that both port 80 and port 443 are required for ACME to function (which seems to make sense since http -> https forwarding is enabled/mandatory when enabling ACME functionality), just allowing incoming traffic on port 80 while still blocking 443 allowed the certificate to renew.

 

Even though the EMS server is configured to redirect all HTTP requests to HTTPS, somehow the ACME services must still be able to access the file in the http://xxx.xxx.xxx/.well-known/acme-challenge/ folder.  Not sure how, since I would think the renewal request would get redirected to https://xxx.xxx.xxx/.well-known/acme-challenge/, but it works.  With this configuration, the management login page cannot be accessed since port 443 is blocked and the cert is able to be auto-renewed over just port 80, so I guess problem solved.

 

 

 

btan
Staff
Staff

Hello,

 

To make use of ACME auto cert renewal, your EMS FQDN both port 80 & 443 must be accessible publicly. Our customers usually temporary unblock both port to renew ACME cert, there is no workaround to use this free service.

Regards,
Bon
Labels
Top Kudoed Authors