Created on 12-13-2016 12:57 AM
Do u know if it's possible to use a Let's Encrypt-generated certificate into the FortiGate for the VPN Portal?
Solved! Go to Solution.
Mhe has it right.
Natively the answer is NO, but you have ways around this. Use a linux bistro build a csr/priv-key sign the csr and then export , re-import it in fortigate.
Yes any x509 compatible certificate will work in a fortigate but the native means of "let's encrypt" make it not a 1 2 3 easy-do method.
So here's what I did using a raspberry pi, but can be easily used on other platforms...
System -> Config -> Certificates -> Import -> Local Certificate. Set type to Certificate. For certificate choose cert.pem and for key choose privkey.pem
VPN -> SSL -> Settings. Change Server Certificate.
For anyone finding this I was able to load up a CentOS 7 and used DNS verification.
wget [link]https://dl.eff.org/certbot-auto[/link] chmod a+x certbot-auto
./certbot-auto -d vpn.domain.com --manual --preferred-challenges dns certonly
It asks some questions, the end is below.
NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.
Are you OK with your IP being logged? ------------------------------------------------------------------------------- (Y)es/(N)o: Y
------------------------------------------------------------------------------- Please deploy a DNS TXT record under the name _acme-challenge.vpn.domain.com with the following value:
Before continuing, verify the record is deployed. ------------------------------------------------------------------------------- Press Enter to Continue Waiting for verification... Cleaning up challenges
Obviously, before I pressed enter to continue I hopped over to my DNS provider (in my case godaddy) and created the TXT record. I also switched to a different session on the box that I'm running certbot on and made sure I could resolve the verification text, since DNS may take a bit to propagate
dig -t txt _acme-challenge.vpn.iplaybaby.com | grep "hFBS2IaC5exxxxxxxxxxxxLptVhZRSBi2_DNxrJmiAZDor8"
Then I switched back to my regular console and pressed enter, it verified and spat out my certs to /etc/letsencrypt/live/hostname/stuff
SCP'd those certs down.
Popped up the fortigate admin pane, System -> Certificates (I had to System -> Feature Visibility -> Enable Certificates and save for this to show up) -> I did Import -> Local Certificate -> Certificate. I used the Fullchain.pem (to be safe in case the fortigate didn't trust the LE CA or whatev. and the privkey)
Then I just had to go to VPN -> SSL VPN Settings -> Change the certificate
LE has some stuff around for setting up renewals too. My next venture will be seeing if I can figure out how to install the cert at the SSH of the fortigate or something. On other linux boxen I've done it with SCPing the cert to the host and then installing it. Thinking maybe I can do similar with the fortigate.
Anywho, good luck fellow interneters. and remember the wisdom of XKCD,
All long help threads should have a sticky globally-editable post at the top saying 'DEAR PEOPLE FROM THE FUTURE: Here's what we've figured out so far ...'
The problem is that they need you to use their tool, certbot and it wont run on FortiGate.
There's also a manual mode, but AFAIK you cant upload custom files neither.
What would i do? I'd set a Virtual IP on 80/443 pointing to a server under your contro, where you can run certbot. Once the VIP is active, i'd run certbot, get the certificate and then import them on FortiGate.
The problem? You would have to do this every three months.
I agreed with agent1994 and that exactly how we do it. We use a VIP that we stroke for the DNS check and then reuse that ip.addr for the SSL-TERMINATION point on a loopback,
It's a b#$#$@ that we have to do this, but we go thru the process every 3months and just take the SSLVPN for 15mins to re-import a certificate, but it works out very good for us.
So I found and tested this method.
still working on it, but it looks like I can SSH to the Fortigate and apply the SSL cert this way
just gotta work out the part about running the commands in the SSH session and passing it the certificate
if your this far, than your golden & just need to build a script and add the PEM format cat it into fgt
e.g ( my filename == LETENC)
config vpn certificate local edit fgtLetsEncrypt
set private-key "-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC0580JLqtyx8NY J12uvTZrYNJxyio3GmWJKvL+SPwY8c056WofC8OVOYOGCIBieb9cV87mnTQrwH/r Vk4kXJQtRru7fsW6pX0fFrAXuBluJ8F2wrN3cuxajaHlj0ZJ4eDKeOc8YiUbE9ow Wj+TpetXNKmNddCAqVJOnHrkHN5Fy4x9hUq3XroSIHHAaerwYYyZHpXkaAPnuhUZ 7Kc59dty/8dswGpy8daosPlldXlfrSJe+KkMuLY5IlkqRwyA/LQRvOY0wereI6GQ bF1Hi2GcZfnr0auzkTrF//HCcrx3dYHAZwxXkuwDQUAYehry2NGI4q0bMxkS/1hL lpkW65uZAgMBAAECggEANm50k+m17oBKt5CIsJX/9MkaKODCWPgZSu9gU8CUEdFX hbBEnPjGLXUzrLWMI5UsTdWhzGPKmct+8clzE5/DeegJfn3DcshuYFdMPqbHCAzw OhKVO0CZ+xkYeGDmrj5Hi8RbFyEUtxP/F4NgE8XdjMyso4KqbLwFpt+QXmiNPIRj ixsprTurtnLQ1sfM5+K7Q8tqnuVXPt8oawssONsL3YeXcMDn7YOIEFvJurQAEl6w 05CK07fA2ED2KixcTNtMKdBbIiqgQ78Y2mwzdEhZNFhW7uOzNXiylvCDF0zyZoN8 s/XB6a6s/hGp8QOn6FcNX01bdzJKuyEcW0zh5wPOcQKBgQDlPpggSq5paLlABr0f 9DEe7D3QaYX0fZYdHouOTo9AW+C/ht7grkus3xFPfCU6US2QSxbM0D9L3NJ4OBe6 3XwAd0ezkgZZBA3cEHnLr/30cTEgnLclvZJBSOYsz5c40u3TJVDUrNMRnqP4GgPf KfhZST8UmbzDpAPQtFLJFwpVJQKBgQDKBOzEHjtHiJb3O1kPe/4eobD6UHhUZny5 wTKNTnCoZxzjnuOD/59Gaku7OTlB5R0Ovo6gAeqGGpj9esdjfJYzPrECJxDBMaI4 Znmw8C+VU8ucIgiRPYsRHxFbOO+daCMoEDiVYZlTVySiuB2NP9J3J0meIgTNtcPA PaGbk/K0ZQKBgAkr7e4szrmM5Qx4uIxUurpf/UEfV6qmc6EKnc69ueF7S4yeGsCm eIScEBc8AklJAiepuWnMUxv347vHkrt5LQLfwtCeYP6iuOM7DYRmsCRdevexDWrH INjXz82vKH+vgLBX59n6aB9mV20PrWP6S+NWmN18IR86qqRo8n71Gwa5AoGBAMHn 8j7Yabvirk0GKRkEwWkzGAVb4fPZH5TIjTY2+UmbF46f/u+/F2lmM+S0K3JFcRuq 6olI7Yvk0b5T8Dhc6GqtnQdc6ecWNgf+zIV6NaIWeVQXErQeJ3K6qFUwFEa5Iy2c TEOOF7Z36ZFKOgtWHDwEeNQRAR1Wf1rxjUIgwxBFAoGBAJnxtzt8q7WIj1m1qZPZ QrPZEY9MfAvXsczB1DfZ7sN5TlxdHv4sbMNU4EZSvAD6xKmbnaySQ80lTKwL+TgA NSQZGZkqr431ueeEE1XXz9A4jh9Pc4svgUdp9QJNjTELEcGqjCujfBxq2EMPwINo RZw/BxTiQ96y1HkVLkIUvx2l -----END PRIVATE KEY-----"
set certificate "-----BEGIN CERTIFICATE----- MIIFezCCBGOgAwIBAgIQCVV51wmtzlQAAAAAUN85OjANBgkqhkiG9w0BAQsFADCB ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0x NzEyMDEyMDI3MDNaFw0xODEyMDEyMDU3MDJaMIGGMQswCQYDVQQGEwJVUzEOMAwG A1UECBMFVGV4YXMxDzANBgNVBAcTBkF1c3RpbjEgMB4GA1UEChMXUHVibGljIENv bnN1bHRpbmcgR3JvdXAxDDAKBgNVBAsTA1BQTDEmMCQGA1UEAxMdc2J0ZXN0LnB1 YmxpY3BhcnRuZXJzaGlwcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK AoIBAQC0580JLqtyx8NYJ12uvTZrYNJxyio3GmWJKvL+SPwY8c056WofC8OVOYOG CIBieb9cV87mnTQrwH/rVk4kXJQtRru7fsW6pX0fFrAXuBluJ8F2wrN3cuxajaHl j0ZJ4eDKeOc8YiUbE9owWj+TpetXNKmNddCAqVJOnHrkHN5Fy4x9hUq3XroSIHHA aerwYYyZHpXkaAPnuhUZ7Kc59dty/8dswGpy8daosPlldXlfrSJe+KkMuLY5Ilkq RwyA/LQRvOY0wereI6GQbF1Hi2GcZfnr0auzkTrF//HCcrx3dYHAZwxXkuwDQUAY ehry2NGI4q0bMxkS/1hLlpkW65uZAgMBAAGjggGtMIIBqTAOBgNVHQ8BAf8EBAMC BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwMwYDVR0fBCwwKjAooCagJIYiaHR0cDov L2NybC5lbnRydXN0Lm5ldC9sZXZlbDFrLmNybDBLBgNVHSAERDBCMDYGCmCGSAGG +mwKAQUwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEw CAYGZ4EMAQICMGgGCCsGAQUFBwEBBFwwWjAjBggrBgEFBQcwAYYXaHR0cDovL29j c3AuZW50cnVzdC5uZXQwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9haWEuZW50cnVzdC5u ZXQvbDFrLWNoYWluMjU2LmNlcjBLBgNVHREERDBCgh1zYnRlc3QucHVibGljcGFy dG5lcnNoaXBzLmNvbYIhd3d3LnNidGVzdC5wdWJsaWNwYXJ0bmVyc2hpcHMuY29t MB8GA1UdIwQYMBaAFIKicHTdvFM/z3vU981/p2DGCky/MB0GA1UdDgQWBBR5IxFF bMXRqzauIqKQ1iMnuwCd7zAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQDO mOGvvwiNhrGuF0NTIhrBlcmaWu7Df4yHCVnFWASCkW/ueRinLrXtp2uZxRD7izJZ ffp5qzdjiROtnkm1WNpI4jhnr8w1pHTjcMgpbZm2YnCk/b1u7CBGDtXykAcdNrj1 yZNZx3QZaNZnaWNnZ40YM/+5xjK1OJtNKa8y6Mt+YuVy3BeLqK1vfw4cue0j0Nbh FbcQaTRWKtIyTu4s4fdebtsUEqwSZYxrL1l5VEuBn3l+yIBvBsWEOTEa1YjmL0Pd ReEDsIR6ZuXIVi1eX7YAIrYEp2JTvzWZYfBqOc/YsUB7J1xZQGRNRnHqK2furyko VLFU4qHPO+O6WMMFUn8z -----END CERTIFICATE-----" end
and finally you run it;
cat LETENC | email@example.com
This will copy the content into the local CERTstore priv-key and x509-cert
TIP : Also make sure you use " " for the priv-key 1st and then then the "cert". You can hack up the LETENC seedfile with sed/awk whenever your certificate and key changes and repeat every 3 months or so.
I use this same above approach when mass blasting free CAcert.org also btw.
Created on 01-25-2018 04:50 PM
Yes, it is. It is even possible with a self-signed certificate.
1- Go under: System --> Certificates then Import your certificate & CA.
2- Go under: VPN --> SSL --> Settings --> Connection Settings --> Server Certificate then choose the Let's Encrypt certificate.
I solved it by setting up a reverse proxy using Traefik and Letsencrypt to give me access to mgmt and SSL VPN through the proxy, that way I get automatically updated certificates for both services by bouncing it on the inside, can't say it's affecting performance either.