Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alby23
Contributor II

Let's Encrypt and FortiGate

Do u know if it's possible to use a Let's Encrypt-generated certificate into the FortiGate for the VPN Portal?

5 Solutions
mhe
Contributor II

No, I don't think that you can use LE certificates. You need their app on the device to use it. But you can use startssl

View solution in original post

emnoc
Esteemed Contributor III

Mhe has it right.

 

Natively the answer is NO, but you have ways around this. Use a linux bistro build a csr/priv-key sign the csr and then export , re-import it in fortigate.

 

Yes any x509 compatible certificate will work in  a fortigate but the native means of "let's encrypt" make it not a 1 2 3  easy-do  method.

PCNSE 

NSE 

StrongSwan  

View solution in original post

PCNSE NSE StrongSwan
NeilG

The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.

"Our certificates are valid for 90 days. You can read about why here."

https://letsencrypt.org/docs/faq/

 

-N

View solution in original post

jtfinley

So here's what I did using a raspberry pi, but can be easily used on other platforms...

 

 

[ol]
  • Install letsencrypt (https://letsencrypt.org/getting-started) on a box with tcp/80, tcp/443 open. (Raspberry Pi - used CertBot)
  • Temporarily point a DNS A or CNAME record of your (Raspberry Pi Box) SSL VPN at the box you're going to run letsencrypt on.
  • Once it pulls dependencies - Run letsencrypt using example below.
  • [ol]
  •  ./certbot-auto certonly --standalone -d vpn.yoursite.com -d [[/ol]
  • Change DNS records if required by pointing your DNS A record back at your SSL VPN IP
  • Grab your pems from /etc/letsencrypt/live/vpn.yoursite.com (cert.pem & privkey.pem) [/ol]

    FortiGate:

    [ol]
  • System -> Config -> Certificates -> Import -> Local Certificate. Set type to Certificate. For certificate choose cert.pem and for key choose privkey.pem

  • VPN -> SSL -> Settings. Change Server Certificate.

  • Repeat process every 90 days
  • Setup CronJob to renew it.[/ol]
  • View solution in original post

    TecnetRuss

    Just updating this thread to mention that ACME/LetsEncrypt functionality is now built into FortiOS 7.0. New Features | FortiGate / FortiOS 7.0.0 | Fortinet Documentation Library Russ NSE7

    View solution in original post

    46 REPLIES 46
    Psychodata

    For anyone finding this I was able to load up a CentOS 7 and used DNS verification. 

     

    wget [link]https://dl.eff.org/certbot-auto[/link] chmod a+x certbot-auto

    ./certbot-auto -d vpn.domain.com  --manual --preferred-challenges dns certonly

     

    It asks some questions, the end is below. 

     

    NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.

    Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: Y

    ------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.vpn.domain.com with the following value:

    hFBS2IaC5exxxxxxxxxxxxLptVhZRSBi2_DNxrJmiAZDor8

    Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue Waiting for verification... Cleaning up challenges

    Obviously, before I pressed enter to continue I hopped over to my DNS provider (in my case godaddy) and created the TXT record. I also switched to a different session on the box that I'm running certbot on and made sure I could resolve the verification text, since DNS may take a bit to propagate

    dig -t txt _acme-challenge.vpn.iplaybaby.com | grep "hFBS2IaC5exxxxxxxxxxxxLptVhZRSBi2_DNxrJmiAZDor8"

    Then I switched back to my regular console and pressed enter, it verified and spat out my certs to /etc/letsencrypt/live/hostname/stuff

     

    SCP'd those certs down. 

     

    Popped up the fortigate admin pane, System -> Certificates (I had to System -> Feature Visibility -> Enable Certificates and save for this to show up) -> I did Import -> Local Certificate -> Certificate. I used the Fullchain.pem (to be safe in case the fortigate didn't trust the LE CA or whatev. and the privkey) 

    [image]blob:https://imgur.com/781beaa...4f92-87fc-7fe5c0b5d1cb[/image]

     

    Then I just had to go to VPN -> SSL VPN Settings -> Change the certificate 

     

    Et voila! 

     

    LE has some stuff around for setting up renewals too. My next venture will be seeing if I can figure out how to install the cert at the SSH of the fortigate or something. On other linux boxen I've done it with SCPing the cert to the host and then installing it. Thinking maybe I can do similar with the fortigate. 

     

    Anywho, good luck fellow interneters. and remember the wisdom of XKCD, 

    All long help threads should have a sticky globally-editable post at the top saying 'DEAR PEOPLE FROM THE FUTURE: Here's what we've figured out so far ...'

     

     

    Agent_1994

    The problem is that they need you to use their tool, certbot and it wont run on FortiGate.

    There's also a manual mode, but AFAIK you cant upload custom files neither.

     

    What would i do? I'd set a Virtual IP on 80/443 pointing to a server under your contro, where you can run certbot. Once the VIP is active, i'd run certbot, get the certificate and then import them on FortiGate.

     

    The problem? You would have to do this every three months.

     

    emnoc
    Esteemed Contributor III

    I agreed with agent1994 and that exactly how we do it. We use a VIP that we stroke for the  DNS check and then  reuse that  ip.addr for the  SSL-TERMINATION point on a loopback,

     

    It's a b#$#$@ that we have to  do this, but we  go thru the process every 3months and just take the SSLVPN for 15mins to re-import a certificate, but it works out very good for us.

     

    Ken

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    Psychodata

    So I found and tested this method. 

    http://kb.fortinet.com/kb/documentLink.do?externalID=FD35074

     

    still working on it, but it looks like I can SSH to the Fortigate and apply the SSL cert this way 

     

    just gotta work out the part about running the commands in the SSH session and passing it the certificate

     

    emnoc
    Esteemed Contributor III

    if your this far, than your golden &  just need to  build a script and add the PEM format cat it into  fgt

     

    e.g ( my filename == LETENC)

     

    config vpn certificate local  edit fgtLetsEncrypt

    set private-key "-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC0580JLqtyx8NY J12uvTZrYNJxyio3GmWJKvL+SPwY8c056WofC8OVOYOGCIBieb9cV87mnTQrwH/r Vk4kXJQtRru7fsW6pX0fFrAXuBluJ8F2wrN3cuxajaHlj0ZJ4eDKeOc8YiUbE9ow Wj+TpetXNKmNddCAqVJOnHrkHN5Fy4x9hUq3XroSIHHAaerwYYyZHpXkaAPnuhUZ 7Kc59dty/8dswGpy8daosPlldXlfrSJe+KkMuLY5IlkqRwyA/LQRvOY0wereI6GQ bF1Hi2GcZfnr0auzkTrF//HCcrx3dYHAZwxXkuwDQUAYehry2NGI4q0bMxkS/1hL lpkW65uZAgMBAAECggEANm50k+m17oBKt5CIsJX/9MkaKODCWPgZSu9gU8CUEdFX hbBEnPjGLXUzrLWMI5UsTdWhzGPKmct+8clzE5/DeegJfn3DcshuYFdMPqbHCAzw OhKVO0CZ+xkYeGDmrj5Hi8RbFyEUtxP/F4NgE8XdjMyso4KqbLwFpt+QXmiNPIRj ixsprTurtnLQ1sfM5+K7Q8tqnuVXPt8oawssONsL3YeXcMDn7YOIEFvJurQAEl6w 05CK07fA2ED2KixcTNtMKdBbIiqgQ78Y2mwzdEhZNFhW7uOzNXiylvCDF0zyZoN8 s/XB6a6s/hGp8QOn6FcNX01bdzJKuyEcW0zh5wPOcQKBgQDlPpggSq5paLlABr0f 9DEe7D3QaYX0fZYdHouOTo9AW+C/ht7grkus3xFPfCU6US2QSxbM0D9L3NJ4OBe6 3XwAd0ezkgZZBA3cEHnLr/30cTEgnLclvZJBSOYsz5c40u3TJVDUrNMRnqP4GgPf KfhZST8UmbzDpAPQtFLJFwpVJQKBgQDKBOzEHjtHiJb3O1kPe/4eobD6UHhUZny5 wTKNTnCoZxzjnuOD/59Gaku7OTlB5R0Ovo6gAeqGGpj9esdjfJYzPrECJxDBMaI4 Znmw8C+VU8ucIgiRPYsRHxFbOO+daCMoEDiVYZlTVySiuB2NP9J3J0meIgTNtcPA PaGbk/K0ZQKBgAkr7e4szrmM5Qx4uIxUurpf/UEfV6qmc6EKnc69ueF7S4yeGsCm eIScEBc8AklJAiepuWnMUxv347vHkrt5LQLfwtCeYP6iuOM7DYRmsCRdevexDWrH INjXz82vKH+vgLBX59n6aB9mV20PrWP6S+NWmN18IR86qqRo8n71Gwa5AoGBAMHn 8j7Yabvirk0GKRkEwWkzGAVb4fPZH5TIjTY2+UmbF46f/u+/F2lmM+S0K3JFcRuq 6olI7Yvk0b5T8Dhc6GqtnQdc6ecWNgf+zIV6NaIWeVQXErQeJ3K6qFUwFEa5Iy2c TEOOF7Z36ZFKOgtWHDwEeNQRAR1Wf1rxjUIgwxBFAoGBAJnxtzt8q7WIj1m1qZPZ QrPZEY9MfAvXsczB1DfZ7sN5TlxdHv4sbMNU4EZSvAD6xKmbnaySQ80lTKwL+TgA NSQZGZkqr431ueeEE1XXz9A4jh9Pc4svgUdp9QJNjTELEcGqjCujfBxq2EMPwINo RZw/BxTiQ96y1HkVLkIUvx2l -----END PRIVATE KEY-----"

    set certificate "-----BEGIN CERTIFICATE----- MIIFezCCBGOgAwIBAgIQCVV51wmtzlQAAAAAUN85OjANBgkqhkiG9w0BAQsFADCB ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0x NzEyMDEyMDI3MDNaFw0xODEyMDEyMDU3MDJaMIGGMQswCQYDVQQGEwJVUzEOMAwG A1UECBMFVGV4YXMxDzANBgNVBAcTBkF1c3RpbjEgMB4GA1UEChMXUHVibGljIENv bnN1bHRpbmcgR3JvdXAxDDAKBgNVBAsTA1BQTDEmMCQGA1UEAxMdc2J0ZXN0LnB1 YmxpY3BhcnRuZXJzaGlwcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC0580JLqtyx8NYJ12uvTZrYNJxyio3GmWJKvL+SPwY8c056WofC8OVOYOG CIBieb9cV87mnTQrwH/rVk4kXJQtRru7fsW6pX0fFrAXuBluJ8F2wrN3cuxajaHl j0ZJ4eDKeOc8YiUbE9owWj+TpetXNKmNddCAqVJOnHrkHN5Fy4x9hUq3XroSIHHA aerwYYyZHpXkaAPnuhUZ7Kc59dty/8dswGpy8daosPlldXlfrSJe+KkMuLY5Ilkq RwyA/LQRvOY0wereI6GQbF1Hi2GcZfnr0auzkTrF//HCcrx3dYHAZwxXkuwDQUAY ehry2NGI4q0bMxkS/1hLlpkW65uZAgMBAAGjggGtMIIBqTAOBgNVHQ8BAf8EBAMC BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwMwYDVR0fBCwwKjAooCagJIYiaHR0cDov L2NybC5lbnRydXN0Lm5ldC9sZXZlbDFrLmNybDBLBgNVHSAERDBCMDYGCmCGSAGG +mwKAQUwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEw CAYGZ4EMAQICMGgGCCsGAQUFBwEBBFwwWjAjBggrBgEFBQcwAYYXaHR0cDovL29j c3AuZW50cnVzdC5uZXQwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9haWEuZW50cnVzdC5u ZXQvbDFrLWNoYWluMjU2LmNlcjBLBgNVHREERDBCgh1zYnRlc3QucHVibGljcGFy dG5lcnNoaXBzLmNvbYIhd3d3LnNidGVzdC5wdWJsaWNwYXJ0bmVyc2hpcHMuY29t MB8GA1UdIwQYMBaAFIKicHTdvFM/z3vU981/p2DGCky/MB0GA1UdDgQWBBR5IxFF bMXRqzauIqKQ1iMnuwCd7zAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQDO mOGvvwiNhrGuF0NTIhrBlcmaWu7Df4yHCVnFWASCkW/ueRinLrXtp2uZxRD7izJZ ffp5qzdjiROtnkm1WNpI4jhnr8w1pHTjcMgpbZm2YnCk/b1u7CBGDtXykAcdNrj1 yZNZx3QZaNZnaWNnZ40YM/+5xjK1OJtNKa8y6Mt+YuVy3BeLqK1vfw4cue0j0Nbh FbcQaTRWKtIyTu4s4fdebtsUEqwSZYxrL1l5VEuBn3l+yIBvBsWEOTEa1YjmL0Pd ReEDsIR6ZuXIVi1eX7YAIrYEp2JTvzWZYfBqOc/YsUB7J1xZQGRNRnHqK2furyko VLFU4qHPO+O6WMMFUn8z -----END CERTIFICATE-----" end

     

    and finally you run it;

     

    cat LETENC | kfelix.socpuppets@1.1.1.1

     

    This will copy the content into the local CERTstore priv-key and x509-cert

     

    Ken

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    emnoc
    Esteemed Contributor III

    TIP :  Also make sure you  use " " for the priv-key 1st and then then the "cert". You can hack up the LETENC  seedfile with sed/awk whenever your  certificate and key changes and repeat every 3 months or so.

     

    I use this same above approach when mass blasting free CAcert.org also btw.

     

    Ken

     

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    Infantryman
    New Contributor

    Yes, it is. It is even possible with a self-signed certificate.

     

    1- Go under: System --> Certificates then Import your certificate & CA.

    2- Go under: VPN --> SSL --> Settings --> Connection Settings --> Server Certificate then choose the Let's Encrypt certificate.

     

    cookem

    anyone have any luck creating a script for automated cert renewal?

    peter_wickenberg

    I solved it by setting up a reverse proxy using Traefik and Letsencrypt to give me access to mgmt and SSL VPN through the proxy, that way I get automatically updated certificates for both services by bouncing it on the inside, can't say it's affecting performance either.

    absmith

    I'm working on a python script that will kick off after a certbot renewal and use the fortios API to upload the certificates and migrate the old certificate with the new one. I'll let you know how it goes. Also since now you can use DNS validation and get wild card certs you no longer have to use a public facing web server to do the certificate process, you just need internet access and API access to your DNS servers.
    Labels
    Top Kudoed Authors