Let's Encrypt and FortiGate

Alby23 · ‎12-13-2016

Do u know if it's possible to use a Let's Encrypt-generated certificate into the FortiGate for the VPN Portal?

mhe · ‎12-13-2016

No, I don't think that you can use LE certificates. You need their app on the device to use it. But you can use startssl

View solution in original post

emnoc · ‎12-13-2016

Mhe has it right.

Natively the answer is NO, but you have ways around this. Use a linux bistro build a csr/priv-key sign the csr and then export , re-import it in fortigate.

Yes any x509 compatible certificate will work in a fortigate but the native means of "let's encrypt" make it not a 1 2 3 easy-do method.

PCNSE

NSE

StrongSwan

View solution in original post

NeilG · ‎12-13-2016

The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.

"Our certificates are valid for 90 days. You can read about why here."

https://letsencrypt.org/docs/faq/

-N

View solution in original post

jtfinley · ‎12-13-2016

So here's what I did using a raspberry pi, but can be easily used on other platforms...

[ol]

Install letsencrypt (https://letsencrypt.org/getting-started) on a box with tcp/80, tcp/443 open. (Raspberry Pi - used CertBot)

Temporarily point a DNS A or CNAME record of your (Raspberry Pi Box) SSL VPN at the box you're going to run letsencrypt on.

Once it pulls dependencies - Run letsencrypt using example below.

[ol]

./certbot-auto certonly --standalone -d vpn.yoursite.com -d [[/ol]

Change DNS records if required by pointing your DNS A record back at your SSL VPN IP

Grab your pems from /etc/letsencrypt/live/vpn.yoursite.com (cert.pem & privkey.pem) [/ol]

FortiGate:

[ol]

System -> Config -> Certificates -> Import -> Local Certificate. Set type to Certificate. For certificate choose cert.pem and for key choose privkey.pem

VPN -> SSL -> Settings. Change Server Certificate.

Repeat process every 90 days

Setup CronJob to renew it.[/ol]

View solution in original post

TecnetRuss · ‎04-05-2021

Just updating this thread to mention that ACME/LetsEncrypt functionality is now built into FortiOS 7.0. New Features | FortiGate / FortiOS 7.0.0 | Fortinet Documentation Library Russ NSE7

View solution in original post

beltskyy · ‎10-11-2021

would you suggest how to be in case if my port 80 is redirected to other server, or blocked by security reason, can I use use DNS authentication instead? if yes pls tell me where can I get necessary string for adjusting in my DNS zone for successfull auto-renewal.

TecnetRuss · ‎10-11-2021

I can only comment on the new native FortiOS 7.0 LetsEncrypt/ACME2 implementation. Based on the available documentation, automation only seems to support HTTP/HTTPS verification, which makes sense given that the FortiGate wouldn't have any native way to insert or update public DNS records as required for DNS verification - at least not a way that would work broadly for all customers and the many, many public DNS hosting vendors that are out there.

To use DNS verification you'd probably have to go with one of the custom scripted solutions earlier in this thread and tailor it to your public DNS host.

Russ

NSE7

beltskyy · ‎10-11-2021

TecnetRuss wrote:
I can only comment on the new native FortiOS 7.0 LetsEncrypt/ACME2 implementation. Based on the available documentation, automation only seems to support HTTP/HTTPS verification, which makes sense given that the FortiGate wouldn't have any native way to insert or update public DNS records as required for DNS verification - at least not a way that would work broadly for all customers and the many, many public DNS hosting vendors that are out there. To use DNS verification you'd probably have to go with one of the custom scripted solutions earlier in this thread and tailor it to your public DNS host. Russ NSE7

could you please mention me where can I get such scripted solutions? thank you!

beltskyy · ‎10-22-2021

i've just upgarded now to 7.0.2 and found that process of getting acme certificate was changed. now i can get certificate easily but I am always getting STAGING certificate:

I tried also to check issued certificate and it shown incomplete status:

I even added DNS CAA record in my zone and tried to reissue, but it couldn't help. I think it's because of this feature is still under developing by FG and there is a way how to change staging environment to production. could you pls advice me how to get normal certificate?

beltskyy · ‎10-22-2021

I think that reason is that ACME server which used for issuing certificate is STAGING and I found where to set its variable (set acme-ca-url {string}), possibly I can change but could you pls help me to do it proper way because I am newbie in FG CLI.

vusal_d · ‎10-24-2021

Yes

I did that and it works well

beltskyy · ‎10-25-2021

vusal.d wrote:
Yes
I did that and it works well

could you please be so kind and show the right steps to change staging ACME server? thanks a lot!

Let's Encrypt and FortiGate

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website