Lets Encrypt unable to reach domain of firewall to create certificate
I am using a Fortigate 40F with FortiOS 7.4.0 build 2360, and I'm looking to create a certificate for my webgui and another certificate for my web VPN via the Let's Encrypt service the firewall provides, and I'd like to configure ACME auto renewal. I purchased a domain through CloudFlare to use for the firewall, let's call it "mydomain.com". I created an A record in the CloudFlare that points mydomain.com to the public IP address of my network, which is my Fortigate unit, as it's the router.
However, when I try to create a certificate for mydomain.com in the GUI, under System > Certificates > Create/Import > Certificate > Use Let's Encrypt, it errors out, stating "no valid A records found for mydomain.com; no valid AAAA records found for mydomain.com".
Update: I tried "ping mydomain.com" in a test Ubuntu terminal on onworks.net. It did not resolve, saying "unknown host". This solves at least part of the problem. Let me double check the interface settings and port settings for my VPN.
I am NOT using port 443 for my VPN. I didn't have HTTP and HTTPS enabled for the WAN interface, though. I enabled both of them, saved, and checked in the ubuntu terminal. It did not work again. I will work to resolve this issue before I continue. Thank you!
Basically there is a waiting time for the new DNS record to be propagated depending on the provider. In this case the DNS server of let's encrypt should have received your newly created A record before you can apply for a certificate. With FGT, only A record is needed because it will participate in the HTTP challenge.
There is also another verification method from letsencrypt based on DNS challenge (TXT records) but that's not the case here.
- Emirjon If you have found a solution, please like and accept it to make it easily accessible for others.
I have used Cloudflare at home for personal servers. I find that 5 minutes is the normal propagation time for their DNS, at least internally. 8 hours seemed more appropriate for my friends to reach the servers. I was doing this last Friday (3 days ago), and I tried again this morning, with no avail. This proves that I made a mistake with my DNS configuration. When I fix this, I will post a solution.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.