Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mr_vaughn
New Contributor III

Fortigate Let's Encrypt auto renewal's Q's

We deploy full public SSL Certificate's on our Fortigate's. To save $ we are looking at the Let's Encrypt free certificate. There are a few questions I have about this.

1. Does it auto renew, if so what interval? Since LE certs are valid 90 days and suggest renewal interaval is 60 days.

2. On renewal, does it replace the existing certificate and get re-assigned to the needed Admin and if in place SSL VPN, and or where ever else it was selected?

3. on replacing the SSL Certifcate on the SSL VPN it will disconnect users. How can we schedule the auto

renewal in off hours?

4. I know port 80 cannot be used on the wan interface that is resolved to the public DNS name. What happens if the admin port is on a custom port like 8443 o 10443? To not conflict with SSL VPN portal.

5. DDNS seems only to be supported in FGT 1000's and above. Is this going to come to the SMB models?

8 REPLIES 8
Muhammad_Haiqal

Hi @mr_vaughn ,

Can you explain further where did you implement this let's encrypt? It is for SSLVPN, Fortigate GUI or something else?

haiqal
mr_vaughn

For both web admin GUI and SSL VPN.

rosatechnocrat
Contributor II

1. Does it auto renew, if so what interval? Since LE certs are valid 90 days and suggest renewal interaval is 60 days.   

--- It renews from Lets encrypt but on Fortigate you have to upload the new Certificate again.  Its not Fortigate only, any devices you have to update the new certificate. 

 

2. On renewal, does it replace the existing certificate and get re-assigned to the needed Admin and if in place SSL VPN, and or where ever else it was selected?

 

- No, you have to upload new cert again. 

3. on replacing the SSL Certifcate on the SSL VPN it will disconnect users. How can we schedule the auto

renewal in off hours? - Renewal is from lets encrypt side, ON Fortigate you can choose when you want to update the certificate. 

4. I know port 80 cannot be used on the wan interface that is resolved to the public DNS name. What happens if the admin port is on a custom port like 8443 o 10443? To not conflict with SSL VPN portal.  ---- Even then certificate can be used. 

 

Rosa Technocrat --

Also on YouTube---

Please do Subscribe
Rosa Technocrat --Also on YouTube---Please do Subscribe
mr_vaughn

Your understanding seems that the certificate and private key are done externally.
in 6.4, 7.x you can do it all on the Fortigate.

 

Your deployment with a backend Apache or IIS server on the inside and exported then imported the cert in your deployment.

As per this if should all be done on the Fortigate.

https://docs.fortinet.com/document/fortigate/7.0.10/administration-guide/822087/acme-certificate-sup...

and
https://community.fortinet.com/t5/FortiGate/Technical-Tip-ACME-certificate-enrollment-with-SSL-VPN/t...

 

and this shows the daemon on the FGT that executes the renewal

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Let-s-Encrypt-certificate-did-not-automati...

 

mr_vaughn

it seem you are thinking I am having an internal web server with ACME on it. The new FGT 6.4.x & 7.x have ACME on the Fortigate itself.

1. Your answer - I know it renews from Let's Encrypt. - but at what interval? The AMCE for IIS for Let's encrpt you can set the renewal interval to 60 days. Or doe the FGT only renew the cert once expired? Why do you have to update "other" devices? this is only FGT.

2. If the AMCE demon on the FGt is do it for you into the Local Cert store on the FGT. Why do you have to upload it?

3. Private key never leaves the FGT. And yes renewal from FGT to Let's Encrypt is done by both sides.

4. In FGt you can select which cert you want to use on Admin side, SSL inspection & SSL VPN. I know you can use any cer. But if the ACME demon on the FGT is expection validation of the cert to be on the STD 443 on the public facing side would it break the ACME generation process and/or the renewal.

mr_vaughn
New Contributor III

Seems nobody knows how it all works..

Flanger
New Contributor II

I do believe ACME is mostly poorly documented and even less represented in GUI at this time of writing. I myself wonder if the firewall will replace certificate itself, because it auto-renewed cert today and still the old one is being used for web management. The only indication of success (which is not shown in GUI) is this last string in CLI from log:

 

# get vpn certificate local details LTSNCR
== [ LTSNCR ]
Name: LTSNCR
Subject: CN = example.com
Issuer: C = US, O = Let's Encrypt, CN = R3
Valid from: 2023-01-23 20:13:13 GMT
Valid to: 2023-04-23 20:13:12 GMT
Fingerprint: CA:1C:DB:D0:2E:47:2B:2E:4B:0F:AC:3C:01:52:4D:B6
Serial Num: 03:35:fa:a6:0c:3f:d3:5c:33:80:75:82:e8:f8:0f:70:0e:81
ACME details:
Status: The certificate for the managed domain has been renewed successfully and can be used (valid since Tue, 24 Jan 2023 20:13:13 GMT).
Staging status: The certificate for the managed domain has been renewed successfully and can be used from Tue, 18 Apr 2023 10:47:09 GMT on.

 

 

So judging from this output, I guess there is a temporary staging store (not visible in GUI), where renewed certs are held until current certs expire and then they should automatically be swapped. Really strange behavior though, every other certbot/letsencrypt environment I've seen and worked with would automatically update active cert on renewal.

Flanger
New Contributor II

Update: Certificate for system management webserver has been automatically replaced in one day. Now I can see new cert when connecting to the firewall and there is nothing in staging.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors