- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Fortigate Let's Encrypt auto renewal's Q's
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate Let's Encrypt auto renewal's Q's
We deploy full public SSL Certificate's on our Fortigate's. To save $ we are looking at the Let's Encrypt free certificate. There are a few questions I have about this.
1. Does it auto renew, if so what interval? Since LE certs are valid 90 days and suggest renewal interaval is 60 days.
2. On renewal, does it replace the existing certificate and get re-assigned to the needed Admin and if in place SSL VPN, and or where ever else it was selected?
3. on replacing the SSL Certifcate on the SSL VPN it will disconnect users. How can we schedule the auto
renewal in off hours?
4. I know port 80 cannot be used on the wan interface that is resolved to the public DNS name. What happens if the admin port is on a custom port like 8443 o 10443? To not conflict with SSL VPN portal.
5. DDNS seems only to be supported in FGT 1000's and above. Is this going to come to the SMB models?
Labels:
- Labels:
-
FortiGate
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mr_vaughn ,
Can you explain further where did you implement this let's encrypt? It is for SSLVPN, Fortigate GUI or something else?
haiqal
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For both web admin GUI and SSL VPN.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1. Does it auto renew, if so what interval? Since LE certs are valid 90 days and suggest renewal interaval is 60 days.
--- It renews from Lets encrypt but on Fortigate you have to upload the new Certificate again. Its not Fortigate only, any devices you have to update the new certificate.
2. On renewal, does it replace the existing certificate and get re-assigned to the needed Admin and if in place SSL VPN, and or where ever else it was selected?
- No, you have to upload new cert again.
3. on replacing the SSL Certifcate on the SSL VPN it will disconnect users. How can we schedule the auto
renewal in off hours? - Renewal is from lets encrypt side, ON Fortigate you can choose when you want to update the certificate.
4. I know port 80 cannot be used on the wan interface that is resolved to the public DNS name. What happens if the admin port is on a custom port like 8443 o 10443? To not conflict with SSL VPN portal. ---- Even then certificate can be used.
Rosa Technocrat -- Also on YouTube---Please do Subscribe
Rosa Technocrat -- Also on YouTube---Please do Subscribe
Created on 02-26-2023 11:29 AM Edited on 02-26-2023 11:29 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your understanding seems that the certificate and private key are done externally.
in 6.4, 7.x you can do it all on the Fortigate.
Your deployment with a backend Apache or IIS server on the inside and exported then imported the cert in your deployment.
As per this if should all be done on the Fortigate.
and this shows the daemon on the FGT that executes the renewal
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it seem you are thinking I am having an internal web server with ACME on it. The new FGT 6.4.x & 7.x have ACME on the Fortigate itself.
1. Your answer - I know it renews from Let's Encrypt. - but at what interval? The AMCE for IIS for Let's encrpt you can set the renewal interval to 60 days. Or doe the FGT only renew the cert once expired? Why do you have to update "other" devices? this is only FGT.
2. If the AMCE demon on the FGt is do it for you into the Local Cert store on the FGT. Why do you have to upload it?
3. Private key never leaves the FGT. And yes renewal from FGT to Let's Encrypt is done by both sides.
4. In FGt you can select which cert you want to use on Admin side, SSL inspection & SSL VPN. I know you can use any cer. But if the ACME demon on the FGT is expection validation of the cert to be on the STD 443 on the public facing side would it break the ACME generation process and/or the renewal.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Seems nobody knows how it all works..
Created on 04-17-2023 05:13 AM Edited on 04-17-2023 05:14 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do believe ACME is mostly poorly documented and even less represented in GUI at this time of writing. I myself wonder if the firewall will replace certificate itself, because it auto-renewed cert today and still the old one is being used for web management. The only indication of success (which is not shown in GUI) is this last string in CLI from log:
# get vpn certificate local details LTSNCR
== [ LTSNCR ]
Name: LTSNCR
Subject: CN = example.com
Issuer: C = US, O = Let's Encrypt, CN = R3
Valid from: 2023-01-23 20:13:13 GMT
Valid to: 2023-04-23 20:13:12 GMT
Fingerprint: CA:1C:DB:D0:2E:47:2B:2E:4B:0F:AC:3C:01:52:4D:B6
Serial Num: 03:35:fa:a6:0c:3f:d3:5c:33:80:75:82:e8:f8:0f:70:0e:81
ACME details:
Status: The certificate for the managed domain has been renewed successfully and can be used (valid since Tue, 24 Jan 2023 20:13:13 GMT).
Staging status: The certificate for the managed domain has been renewed successfully and can be used from Tue, 18 Apr 2023 10:47:09 GMT on.
So judging from this output, I guess there is a temporary staging store (not visible in GUI), where renewed certs are held until current certs expire and then they should automatically be swapped. Really strange behavior though, every other certbot/letsencrypt environment I've seen and worked with would automatically update active cert on renewal.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: Certificate for system management webserver has been automatically replaced in one day. Now I can see new cert when connecting to the firewall and there is nothing in staging.
Related Posts
- VPN intermittent traffic lost, found reverse... 837 Views
- FortiGate License Renewal 453 Views
- FortiClient IPSec Remote Access Connection issues. 662 Views
- strange routing behaviour (sslvpn > site... 1010 Views
- Fail with site-to-site with Fg to... 1305 Views
Labels
-
FortiGate
6,445 -
FortiClient
1,286 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
410 -
5.6
362 -
FortiSwitch
330 -
FortiAP
326 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
57 -
SSL-VPN
53 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
Intrusion prevention
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.