- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Lets Encrypt unable to reach domain of firewall to...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lets Encrypt unable to reach domain of firewall to create certificate
I am using a Fortigate 40F with FortiOS 7.4.0 build 2360, and I'm looking to create a certificate for my webgui and another certificate for my web VPN via the Let's Encrypt service the firewall provides, and I'd like to configure ACME auto renewal. I purchased a domain through CloudFlare to use for the firewall, let's call it "mydomain.com". I created an A record in the CloudFlare that points mydomain.com to the public IP address of my network, which is my Fortigate unit, as it's the router.
However, when I try to create a certificate for mydomain.com in the GUI, under System > Certificates > Create/Import > Certificate > Use Let's Encrypt, it errors out, stating "no valid A records found for mydomain.com; no valid AAAA records found for mydomain.com".
Edit: I read the following posts prior to posting this:
1.) https://community.fortinet.com/t5/Support-Forum/fcm-models-acme-acme-Acme-Error-A-C-M-E-Certificate-...
2.) https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support
What have I done wrong with the DNS configuration, and is there a better way to do this than I am trying?
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MarTek,
Can you ping mydomain.com? Does it resolve to the FortiGate's public IP address?
Please make sure https and http are enabled on the wan interface and make sure port 443 is not being used for SSL VPN or GUI access.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @MarTek,
Can you ping mydomain.com? Does it resolve to the FortiGate's public IP address?
Please make sure https and http are enabled on the wan interface and make sure port 443 is not being used for SSL VPN or GUI access.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried pinging from my administrative desktop, however it is resolving internally as the local IP address from my DNS server. I'll try this in an online terminal instead.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update: I tried "ping mydomain.com" in a test Ubuntu terminal on onworks.net. It did not resolve, saying "unknown host". This solves at least part of the problem. Let me double check the interface settings and port settings for my VPN.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am NOT using port 443 for my VPN. I didn't have HTTP and HTTPS enabled for the WAN interface, though. I enabled both of them, saved, and checked in the ubuntu terminal. It did not work again. I will work to resolve this issue before I continue. Thank you!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically there is a waiting time for the new DNS record to be propagated depending on the provider. In this case the DNS server of let's encrypt should have received your newly created A record before you can apply for a certificate. With FGT, only A record is needed because it will participate in the HTTP challenge.
There is also another verification method from letsencrypt based on DNS challenge (TXT records) but that's not the case here.
- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
If you have found a solution, please like and accept it to make it easily accessible for others.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I have used Cloudflare at home for personal servers. I find that 5 minutes is the normal propagation time for their DNS, at least internally. 8 hours seemed more appropriate for my friends to reach the servers. I was doing this last Friday (3 days ago), and I tried again this morning, with no avail. This proves that I made a mistake with my DNS configuration. When I fix this, I will post a solution.
Related Posts
Labels
-
FortiGate
6,531 -
FortiClient
1,303 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
60 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.