Do u know if it's possible to use a Let's Encrypt-generated certificate into the FortiGate for the VPN Portal?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
No, I don't think that you can use LE certificates. You need their app on the device to use it. But you can use startssl
Mhe has it right.
Natively the answer is NO, but you have ways around this. Use a linux bistro build a csr/priv-key sign the csr and then export , re-import it in fortigate.
Yes any x509 compatible certificate will work in a fortigate but the native means of "let's encrypt" make it not a 1 2 3 easy-do method.
PCNSE
NSE
StrongSwan
The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.
"Our certificates are valid for 90 days. You can read about why here."
https://letsencrypt.org/docs/faq/
-N
So here's what I did using a raspberry pi, but can be easily used on other platforms...
[ol]
FortiGate:
[ol]System -> Config -> Certificates -> Import -> Local Certificate. Set type to Certificate. For certificate choose cert.pem and for key choose privkey.pem
VPN -> SSL -> Settings. Change Server Certificate.
Just updating this thread to mention that ACME/LetsEncrypt functionality is now built into FortiOS 7.0. New Features | FortiGate / FortiOS 7.0.0 | Fortinet Documentation Library Russ NSE7
I can only comment on the new native FortiOS 7.0 LetsEncrypt/ACME2 implementation. Based on the available documentation, automation only seems to support HTTP/HTTPS verification, which makes sense given that the FortiGate wouldn't have any native way to insert or update public DNS records as required for DNS verification - at least not a way that would work broadly for all customers and the many, many public DNS hosting vendors that are out there.
To use DNS verification you'd probably have to go with one of the custom scripted solutions earlier in this thread and tailor it to your public DNS host.
Russ
NSE7
TecnetRuss wrote:could you please mention me where can I get such scripted solutions? thank you!
I can only comment on the new native FortiOS 7.0 LetsEncrypt/ACME2 implementation. Based on the available documentation, automation only seems to support HTTP/HTTPS verification, which makes sense given that the FortiGate wouldn't have any native way to insert or update public DNS records as required for DNS verification - at least not a way that would work broadly for all customers and the many, many public DNS hosting vendors that are out there. To use DNS verification you'd probably have to go with one of the custom scripted solutions earlier in this thread and tailor it to your public DNS host. Russ NSE7
i've just upgarded now to 7.0.2 and found that process of getting acme certificate was changed. now i can get certificate easily but I am always getting STAGING certificate:
I tried also to check issued certificate and it shown incomplete status:
I even added DNS CAA record in my zone and tried to reissue, but it couldn't help. I think it's because of this feature is still under developing by FG and there is a way how to change staging environment to production. could you pls advice me how to get normal certificate?
I think that reason is that ACME server which used for issuing certificate is STAGING and I found where to set its variable (set acme-ca-url {string}), possibly I can change but could you pls help me to do it proper way because I am newbie in FG CLI.
Yes
I did that and it works well
vusal.d wrote:could you please be so kind and show the right steps to change staging ACME server? thanks a lot!Yes
I did that and it works well
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1095 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.