FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pachavez
Staff
Staff
Article Id 245610
Description

This article describes how to resolve issues with Let’s Encrypt certificate auto-renewal.

Scope FortiGate, Let's Encrypt Certificates, ACME certificate.
Solution

ACME certificate support is a new feature introduced in FortiOS 7.0.

 

There are 3 requirements for the Let's Encrypt certificate auto renewal:

 

If SSL-VPN is enabled on the FortiGate and the ACME listening interface is the same as the SSL-VPN port, additional requirements must be applied to avoid port conflict.

 

Disable https-redirect settings on the SSL-VPN settings or change SSL-VPN port 443 to a non-default port so it does not conflict with the ACME port 443.


config vpn ssl settings
    set https-redirect disable   <- Disable https-redirect so ACME so SSL-VPN will be able to use the same port 443.
    set port 10443 <- Alternatively, change the SSL-VPN port to a different port.
end

 

Related article:

Technical Tip: ACME certificate enrollment with SSL VPN.

 

If all of the requirements described above have been satisfied but the certificate auto-renewal is still not taking place, run the following commands in FortiGate. If FortiGate is set up in HA, run the following commands on all HA cluster members:

 

  1. Check ACME status :


get system acme status
get system acme acc-details

 

  1. To force config regeneration and certificate renewal:

 

diagnose sys acme regenerate-client-config
diagnose sys acme restart

 

  1. Wait 2-3 minutes, and check the certificate status:

 

get vpn certificate local details <Local certificate name>

diagnose sys acme status-full <Certificate’s CN domain>

 

To change the ACME listening interface/source-ip:

 

config system acme

    set interface <interface-name>

    set source-ip <ipv4-address>

end

 

Increase window size (acme-renew-window) for ACME renewal. By default, the acme-renew-window settings is set to 30:


config vpn certificate local
    edit <ACME_certificate_name>
        set acme-renew-window 30
    end

 

This means that the ACME certificate will renew 30 days before expiration, not after 30 days.
Let's Encrypt issues certificates that last 90 days, for example, to renew after 30 days neded to change the renew window value to 60:

Use the following commands to increase the window size for ACME renewal:


config vpn certificate local
  edit <ACME_certificate_name>
        set acme-renew-window 1
    end

 

Sample output when the ACME certificate is renewed:

 

get vpn certificate local details acme-cert
== [ acme-cert ]
Name: acme-cert
Subject: CN = test.ftntlab.de
Issuer: C = US, O = Let's Encrypt, CN = R3
Valid from: 2023-02-13 05:00:45 GMT
Valid to: 2023-05-14 05:00:44 GMT

Fingerprint: 9A:03:0F:41:29:D7:01:45:04:F3:16:C0:BD:63:A2:DB
Serial Num: 03:d3:55:80:d2:e9:01:b4:ca:80:3f:2e:fc:24:65:ad:7c:0c

ACME details:
Status: The certificate for the managed domain has been renewed successfully and can be used from Mon, 13 Feb 2023 20:51:14 GMT on.
Staging status: Nothing in staging

 

diagnose sys acme status-full test.ftntlab.de
{
"name": "test.ftntlab.de",
"finished": true,
"notified": false,
"next-run": "Mon, 13 Feb 2023 20:51:14 GMT",
"last-run": "Mon, 13 Feb 2023 06:00:37 GMT",
"valid-from": "Mon, 13 Feb 2023 20:51:14 GMT",
"errors": 0,
"last": {
"status": 0,
"detail": "The certificate for the managed domain has been renewed successfully and can be used from Mon, 13 Feb 2023 20:51:14 GMT on.",
"valid-from": "Mon, 13 Feb 2023 20:51:14 GMT"
},
"log": {
"entries": [
{
"when": "Mon, 13 Feb 2023 06:00:46 GMT",
"type": "finished"
},
{
"when": "Mon, 13 Feb 2023 06:00:46 GMT",
"type": "progress",
"detail": "The certificate for the managed domain has been renewed successfully and can be used from Mon, 13 Feb 2023 20:51:14 GMT on."
},
{
"when": "Mon, 13 Feb 2023 06:00:46 GMT",
"type": "progress",
"detail": "Retrieving certificate chain for test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:45 GMT",
"type": "progress",
"detail": "Waiting for finalized order to become valid"
},
{
"when": "Mon, 13 Feb 2023 06:00:45 GMT",
"type": "progress",
"detail": "Submitting CSR to CA for test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:45 GMT",
"type": "progress",
"detail": "Creating CSR for test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:45 GMT",
"type": "progress",
"detail": "Finalizing order for test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:44 GMT",
"type": "progress",
"detail": "Waiting for order to become ready"
},
{
"when": "Mon, 13 Feb 2023 06:00:44 GMT",
"type": "progress",
"detail": "Monitoring challenge status for test.ftntlab.de: domain authorization for test.ftntlab.de is valid"
},
{
"when": "Mon, 13 Feb 2023 06:00:41 GMT",
"type": "progress",
"detail": "Monitoring challenge status for test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:41 GMT",
"type": "progress",
"detail": "Setting up challenge 'http-01' for domain test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:40 GMT",
"type": "progress",
"detail": "Starting challenges for domains"
},
{
"when": "Mon, 13 Feb 2023 06:00:39 GMT",
"type": "progress",
"detail": "Creating new order"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "progress",
"detail": "Creating new ACME account for test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "progress",
"detail": "Selecting account to use for test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "progress",
"detail": "Driving ACME protocol for renewal of test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "progress",
"detail": "Resetting staging for test.ftntlab.de"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "progress",
"detail": "Contacting ACME server for test.ftntlab.de at https://acme-v02.api.letsencrypt.org/directory"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "progress",
"detail": "Assessing current status"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "progress",
"detail": "Resetting staging area"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "progress",
"detail": "Checking staging area"
},
{
"when": "Mon, 13 Feb 2023 06:00:37 GMT",
"type": "starting"
}
]
}
}

 

In FortiOS version 7.2.6, run the following configuration in the CLI to renew the certificate:

 

config vpn certificate local

edit <acme_cert>

set acme-rsa-key-size 4096

end

end

 

After, restart the ACME process with the following command:

 

diagnose sys acme restart

 

Related articles:

Technical Tip: Expiring Let’s Encrypt Certificates.

ACME certificate support.

ACME certificate support.