Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Fortigate Let's Encrypt auto renewal's Q's
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate Let's Encrypt auto renewal's Q's
We deploy full public SSL Certificate's on our Fortigate's. To save $ we are looking at the Let's Encrypt free certificate. There are a few questions I have about this.
1. Does it auto renew, if so what interval? Since LE certs are valid 90 days and suggest renewal interaval is 60 days.
2. On renewal, does it replace the existing certificate and get re-assigned to the needed Admin and if in place SSL VPN, and or where ever else it was selected?
3. on replacing the SSL Certifcate on the SSL VPN it will disconnect users. How can we schedule the auto
renewal in off hours?
4. I know port 80 cannot be used on the wan interface that is resolved to the public DNS name. What happens if the admin port is on a custom port like 8443 o 10443? To not conflict with SSL VPN portal.
5. DDNS seems only to be supported in FGT 1000's and above. Is this going to come to the SMB models?
Labels:
- Labels:
-
FortiGate
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mr_vaughn ,
Can you explain further where did you implement this let's encrypt? It is for SSLVPN, Fortigate GUI or something else?
haiqal
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For both web admin GUI and SSL VPN.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. Does it auto renew, if so what interval? Since LE certs are valid 90 days and suggest renewal interaval is 60 days.
--- It renews from Lets encrypt but on Fortigate you have to upload the new Certificate again. Its not Fortigate only, any devices you have to update the new certificate.
2. On renewal, does it replace the existing certificate and get re-assigned to the needed Admin and if in place SSL VPN, and or where ever else it was selected?
- No, you have to upload new cert again.
3. on replacing the SSL Certifcate on the SSL VPN it will disconnect users. How can we schedule the auto
renewal in off hours? - Renewal is from lets encrypt side, ON Fortigate you can choose when you want to update the certificate.
4. I know port 80 cannot be used on the wan interface that is resolved to the public DNS name. What happens if the admin port is on a custom port like 8443 o 10443? To not conflict with SSL VPN portal. ---- Even then certificate can be used.
Rosa Technocrat --
Also on YouTube---
Please do Subscribe
Also on YouTube---
Please do Subscribe
Rosa Technocrat --Also on YouTube---Please do Subscribe
Created on 02-26-2023 11:29 AM Edited on 02-26-2023 11:29 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your understanding seems that the certificate and private key are done externally.
in 6.4, 7.x you can do it all on the Fortigate.
Your deployment with a backend Apache or IIS server on the inside and exported then imported the cert in your deployment.
As per this if should all be done on the Fortigate.
and this shows the daemon on the FGT that executes the renewal
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it seem you are thinking I am having an internal web server with ACME on it. The new FGT 6.4.x & 7.x have ACME on the Fortigate itself.
1. Your answer - I know it renews from Let's Encrypt. - but at what interval? The AMCE for IIS for Let's encrpt you can set the renewal interval to 60 days. Or doe the FGT only renew the cert once expired? Why do you have to update "other" devices? this is only FGT.
2. If the AMCE demon on the FGt is do it for you into the Local Cert store on the FGT. Why do you have to upload it?
3. Private key never leaves the FGT. And yes renewal from FGT to Let's Encrypt is done by both sides.
4. In FGt you can select which cert you want to use on Admin side, SSL inspection & SSL VPN. I know you can use any cer. But if the ACME demon on the FGT is expection validation of the cert to be on the STD 443 on the public facing side would it break the ACME generation process and/or the renewal.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems nobody knows how it all works..
Created on 04-17-2023 05:13 AM Edited on 04-17-2023 05:14 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do believe ACME is mostly poorly documented and even less represented in GUI at this time of writing. I myself wonder if the firewall will replace certificate itself, because it auto-renewed cert today and still the old one is being used for web management. The only indication of success (which is not shown in GUI) is this last string in CLI from log:
# get vpn certificate local details LTSNCR
== [ LTSNCR ]
Name: LTSNCR
Subject: CN = example.com
Issuer: C = US, O = Let's Encrypt, CN = R3
Valid from: 2023-01-23 20:13:13 GMT
Valid to: 2023-04-23 20:13:12 GMT
Fingerprint: CA:1C:DB:D0:2E:47:2B:2E:4B:0F:AC:3C:01:52:4D:B6
Serial Num: 03:35:fa:a6:0c:3f:d3:5c:33:80:75:82:e8:f8:0f:70:0e:81
ACME details:
Status: The certificate for the managed domain has been renewed successfully and can be used (valid since Tue, 24 Jan 2023 20:13:13 GMT).
Staging status: The certificate for the managed domain has been renewed successfully and can be used from Tue, 18 Apr 2023 10:47:09 GMT on.
So judging from this output, I guess there is a temporary staging store (not visible in GUI), where renewed certs are held until current certs expire and then they should automatically be swapped. Really strange behavior though, every other certbot/letsencrypt environment I've seen and worked with would automatically update active cert on renewal.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: Certificate for system management webserver has been automatically replaced in one day. Now I can see new cert when connecting to the firewall and there is nothing in staging.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Outbound firewall auth + Microsoft Entra... 184 Views
- Certificate error in internal lan 522 Views
- FortiClient SSL VPN - SSO/SAML Issue 724 Views
- what type Encryption is uses in... 223 Views
- URL Filter for Let's Encrypt HTTP-01... 358 Views
Labels
-
FortiGate
8,359 -
FortiClient
1,692 -
5.2
801 -
FortiManager
705 -
5.4
639 -
FortiAnalyzer
535 -
FortiSwitch
452 -
FortiAP
447 -
6.0
416 -
FortiClient EMS
394 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
208 -
5.0
196 -
FortiWeb
194 -
IPsec
177 -
FortiNAC
171 -
FortiGuard
133 -
6.4
128 -
SD-WAN
105 -
FortiGateCloud
100 -
FortiSIEM
96 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
82 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
68 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
High Availability
50 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
BGP
37 -
LDAP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
NAT
30 -
Authentication
29 -
SSO
29 -
FortiConnect
27 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
Logging
21 -
Fortigate Cloud
19 -
FortiPAM
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
FortiGate v5.0
14 -
WAN optimization
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
FortiCASB
12 -
SNMP
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
Explicit proxy
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1634 | |
| 1063 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.