Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sysram
New Contributor II

Created on ‎07-07-2022 02:04 PM

Lets Encrypt with Virtual Server

Hi

 

We have a Virtual Server only with HTTPS.
Now we upgraded to 7.0.6 and I read that it would be possible to use the newly implemented ACME client.
So I tried to get a LE certificate with the GUI but I always get the error:

Timeout during connect (likely firewall problem)

 

I know LE very well and normally the verification will be passed on the webserver.
So I'm confused how the forti will catch the LE requese on Port 80 and answer it correctly

 

 

 

Labels:
3297
0 Kudos
6 REPLIES 6
pminarik
Staff
Staff

Created on ‎07-08-2022 12:40 AM

I haven't gotten around to test it to personally confirm, but my impression from all discussions I've seen so far has been that the validation port must be either unused, or at most used by the admin GUI (in which case the httpsd process can decide whether a request is a letsencrypt validation attempt, or access to the GUI). In other words, a VIP sending ports 80/443 off to elsewhere will block the validation from succeeding.

[ corrections always welcome ]
3278
0 Kudos
sysram
New Contributor II

Created on ‎07-08-2022 12:48 AM

Ok I forgot one detail.
We have a lot of public IPs.
The IP and URL which I want to use is only configured as a Virtual Server

It is not binded to an Interface

3275
0 Kudos
pminarik
Staff
Staff

Created on ‎07-08-2022 02:23 AM

For a plain VIP, this would be a clear "not supported", for server-load-balance VIPs (virtual server), I would not be too sure. With that said, the documentation says "no VIPs" - https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support

[ corrections always welcome ]
3269
0 Kudos
sysram
New Contributor II

Created on ‎07-08-2022 02:32 AM

Well if Virtual Servers are not supported, then this ACME integration is not really good.
I was able to use it for SSL VPN. But we have a lot of VIPs and VS. So they should do a better implementation.

3264
kostixxa
New Contributor

Created on ‎05-16-2023 05:26 AM

Totally agree, If ACME is suitable only for SSLVPN and Fortigate itself than it is almost useless. 

2459
0 Kudos
pminarik
Staff
Staff
In response to kostixxa

Created on ‎05-25-2023 05:52 AM

For proper reverse-proxying, there seems to be push towards FortiWeb or FortiADC.

FortiGate's reverse-proxy (server-load-balancing VIP) is rather simple. And it would seem that ACME is intended to be used mainly for web-GUI or SSL-VPN. 

[ corrections always welcome ]
2425
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.