This article describes how to resolve issues with Let’s Encrypt certificate auto-renewal.
|FortiGate, Let's Encrypt Certificates, ACME certificate.
ACME certificate support is a new feature introduced in FortiOS 7.0.
There are 3 requirements for the Let's Encrypt certificate auto renewal:
If SSL-VPN is enabled on the FortiGate and the ACME listening interface is the same as the SSL-VPN port, additional requirements must be applied to avoid port conflict.
Disable https-redirect settings on the SSL-VPN settings or change SSL-VPN port 443 to a non-default port so it does not conflict with the ACME port 443.
If all of the requirements described above have been satisfied but the certificate auto-renewal is still not taking place, run the following commands in FortiGate. If FortiGate is set up in HA, run the following commands on all HA cluster members:
diagnose sys acme regenerate-client-config
get vpn certificate local details <Local certificate name>
diagnose sys acme status-full <Certificate’s CN domain>
To change the ACME listening interface/source-ip:
config system acme
set interface <interface-name>
set source-ip <ipv4-address>
Increase window size (acme-renew-window) for ACME renewal. By default, the acme-renew-window settings is set to 30:
This means that the ACME certificate will renew 30 days before expiration, not after 30 days.
Sample output when the ACME certificate is renewed:
get vpn certificate local details acme-cert
diagnose sys acme status-full test.ftntlab.de
In FortiOS version 7.2.6, run the following configuration in the CLI to renew the certificate:
config vpn certificate local
set acme-rsa-key-size 4096
After, restart the ACME process with the following command:
diagnose sys acme restart