Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MarTek
New Contributor II

Lets Encrypt unable to reach domain of firewall to create certificate

 

I am using a Fortigate 40F with FortiOS 7.4.0 build 2360, and I'm looking to create a certificate for my webgui and another certificate for my web VPN via the Let's Encrypt service the firewall provides, and I'd like to configure ACME auto renewal. I purchased a domain through CloudFlare to use for the firewall, let's call it "mydomain.com". I created an A record in the CloudFlare that points mydomain.com to the public IP address of my network, which is my Fortigate unit, as it's the router.

 

However, when I try to create a certificate for mydomain.com in the GUI, under System > Certificates > Create/Import > Certificate > Use Let's Encrypt, it errors out, stating "no valid A records found for mydomain.com; no valid AAAA records found for mydomain.com".

Edit: I read the following posts prior to posting this:
1.) https://community.fortinet.com/t5/Support-Forum/fcm-models-acme-acme-Acme-Error-A-C-M-E-Certificate-...

2.) https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support 
What have I done wrong with the DNS configuration, and is there a better way to do this than I am trying?

1 Solution
hbac
Staff
Staff

Hi @MarTek

 

Can you ping mydomain.com? Does it resolve to the FortiGate's public IP address? 

 

Please make sure https and http are enabled on the wan interface and make sure port 443 is not being used for SSL VPN or GUI access. 

View solution in original post

6 REPLIES 6
hbac
Staff
Staff

Hi @MarTek

 

Can you ping mydomain.com? Does it resolve to the FortiGate's public IP address? 

 

Please make sure https and http are enabled on the wan interface and make sure port 443 is not being used for SSL VPN or GUI access. 

MarTek
New Contributor II

I tried pinging from my administrative desktop, however it is resolving internally as the local IP address from my DNS server. I'll try this in an online terminal instead. 

MarTek
New Contributor II

Update: I tried "ping mydomain.com" in a test Ubuntu terminal on onworks.net. It did not resolve, saying "unknown host". This solves at least part of the problem. Let me double check the interface settings and port settings for my VPN.

MarTek
New Contributor II

I am NOT using port 443 for my VPN. I didn't have HTTP and HTTPS enabled for the WAN interface, though. I enabled both of them, saved, and checked in the ubuntu terminal. It did not work again. I will work to resolve this issue before I continue. Thank you!

ebilcari
Staff
Staff

Basically there is a waiting time for the new DNS record to be propagated depending on the provider. In this case the DNS server of let's encrypt should have received your newly created A record before you can apply for a certificate. With FGT, only A record is needed because it will participate in the HTTP challenge.

There is also another verification method from letsencrypt based on DNS challenge (TXT records) but that's not the case here.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
MarTek
New Contributor II

Hello,

 

I have used Cloudflare at home for personal servers. I find that 5 minutes is the normal propagation time for their DNS, at least internally. 8 hours seemed more appropriate for my friends to reach the servers. I was doing this last Friday (3 days ago), and I tried again this morning, with no avail. This proves that I made a mistake with my DNS configuration. When I fix this, I will post a solution.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors