I am using a Fortigate 40F with FortiOS 7.4.0 build 2360, and I'm looking to create a certificate for my webgui and another certificate for my web VPN via the Let's Encrypt service the firewall provides, and I'd like to configure ACME auto renewal. I purchased a domain through CloudFlare to use for the firewall, let's call it "mydomain.com". I created an A record in the CloudFlare that points mydomain.com to the public IP address of my network, which is my Fortigate unit, as it's the router.
However, when I try to create a certificate for mydomain.com in the GUI, under System > Certificates > Create/Import > Certificate > Use Let's Encrypt, it errors out, stating "no valid A records found for mydomain.com; no valid AAAA records found for mydomain.com".
Edit: I read the following posts prior to posting this:
1.) https://community.fortinet.com/t5/Support-Forum/fcm-models-acme-acme-Acme-Error-A-C-M-E-Certificate-...
2.) https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support
What have I done wrong with the DNS configuration, and is there a better way to do this than I am trying?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @MarTek,
Can you ping mydomain.com? Does it resolve to the FortiGate's public IP address?
Please make sure https and http are enabled on the wan interface and make sure port 443 is not being used for SSL VPN or GUI access.
Hi @MarTek,
Can you ping mydomain.com? Does it resolve to the FortiGate's public IP address?
Please make sure https and http are enabled on the wan interface and make sure port 443 is not being used for SSL VPN or GUI access.
I tried pinging from my administrative desktop, however it is resolving internally as the local IP address from my DNS server. I'll try this in an online terminal instead.
Update: I tried "ping mydomain.com" in a test Ubuntu terminal on onworks.net. It did not resolve, saying "unknown host". This solves at least part of the problem. Let me double check the interface settings and port settings for my VPN.
I am NOT using port 443 for my VPN. I didn't have HTTP and HTTPS enabled for the WAN interface, though. I enabled both of them, saved, and checked in the ubuntu terminal. It did not work again. I will work to resolve this issue before I continue. Thank you!
Basically there is a waiting time for the new DNS record to be propagated depending on the provider. In this case the DNS server of let's encrypt should have received your newly created A record before you can apply for a certificate. With FGT, only A record is needed because it will participate in the HTTP challenge.
There is also another verification method from letsencrypt based on DNS challenge (TXT records) but that's not the case here.
Hello,
I have used Cloudflare at home for personal servers. I find that 5 minutes is the normal propagation time for their DNS, at least internally. 8 hours seemed more appropriate for my friends to reach the servers. I was doing this last Friday (3 days ago), and I tried again this morning, with no avail. This proves that I made a mistake with my DNS configuration. When I fix this, I will post a solution.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.