Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alby23
Contributor II

Let's Encrypt and FortiGate

Do u know if it's possible to use a Let's Encrypt-generated certificate into the FortiGate for the VPN Portal?

5 Solutions
mhe
Contributor

No, I don't think that you can use LE certificates. You need their app on the device to use it. But you can use startssl

View solution in original post

emnoc
Esteemed Contributor III

Mhe has it right.

 

Natively the answer is NO, but you have ways around this. Use a linux bistro build a csr/priv-key sign the csr and then export , re-import it in fortigate.

 

Yes any x509 compatible certificate will work in  a fortigate but the native means of "let's encrypt" make it not a 1 2 3  easy-do  method.

PCNSE 

NSE 

StrongSwan  

View solution in original post

NeilG

The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.

"Our certificates are valid for 90 days. You can read about why here."

https://letsencrypt.org/docs/faq/

 

-N

View solution in original post

jtfinley

So here's what I did using a raspberry pi, but can be easily used on other platforms...

 

 

[ol]
  • Install letsencrypt (https://letsencrypt.org/getting-started) on a box with tcp/80, tcp/443 open. (Raspberry Pi - used CertBot)
  • Temporarily point a DNS A or CNAME record of your (Raspberry Pi Box) SSL VPN at the box you're going to run letsencrypt on.
  • Once it pulls dependencies - Run letsencrypt using example below.
  • [ol]
  •  ./certbot-auto certonly --standalone -d vpn.yoursite.com -d [[/ol]
  • Change DNS records if required by pointing your DNS A record back at your SSL VPN IP
  • Grab your pems from /etc/letsencrypt/live/vpn.yoursite.com (cert.pem & privkey.pem) [/ol]

    FortiGate:

    [ol]
  • System -> Config -> Certificates -> Import -> Local Certificate. Set type to Certificate. For certificate choose cert.pem and for key choose privkey.pem

  • VPN -> SSL -> Settings. Change Server Certificate.

  • Repeat process every 90 days
  • Setup CronJob to renew it.[/ol]
  • View solution in original post

    TecnetRuss

    Just updating this thread to mention that ACME/LetsEncrypt functionality is now built into FortiOS 7.0. New Features | FortiGate / FortiOS 7.0.0 | Fortinet Documentation Library Russ NSE7

    View solution in original post

    46 REPLIES 46
    beltskyy
    New Contributor II

    would you suggest how to be in case if my port 80 is redirected to other server, or blocked by security reason, can I use use DNS authentication instead? if yes pls tell me where can I get necessary string for adjusting in my DNS zone for successfull auto-renewal.
    TecnetRuss

    I can only comment on the new native FortiOS 7.0 LetsEncrypt/ACME2 implementation.  Based on the available documentation, automation only seems to support HTTP/HTTPS verification, which makes sense given that the FortiGate wouldn't have any native way to insert or update public DNS records as required for DNS verification - at least not a way that would work broadly for all customers and the many, many public DNS hosting vendors that are out there.

     

    To use DNS verification you'd probably have to go with one of the custom scripted solutions earlier in this thread and tailor it to your public DNS host.

     

    Russ

    NSE7

    beltskyy
    New Contributor II

    TecnetRuss wrote:
    I can only comment on the new native FortiOS 7.0 LetsEncrypt/ACME2 implementation.  Based on the available documentation, automation only seems to support HTTP/HTTPS verification, which makes sense given that the FortiGate wouldn't have any native way to insert or update public DNS records as required for DNS verification - at least not a way that would work broadly for all customers and the many, many public DNS hosting vendors that are out there.   To use DNS verification you'd probably have to go with one of the custom scripted solutions earlier in this thread and tailor it to your public DNS host.   Russ NSE7
    could you please mention me where can I get such scripted solutions? thank you!

    beltskyy
    New Contributor II

    i've just upgarded now to 7.0.2 and found that process of getting acme certificate was changed. now i can get certificate easily but I am always getting STAGING certificate:

     

     

    I tried also to check issued certificate and it shown incomplete status:

     

     

    I even added DNS CAA record in my zone and tried to reissue, but it couldn't help. I think it's because of this feature is still under developing by FG and there is a way how to change staging environment to production. could you pls advice me how to get normal certificate?

    beltskyy
    New Contributor II

    I think that reason is that ACME server which used for issuing certificate is STAGING and I found where to set its variable (set acme-ca-url {string}), possibly I can change but could you pls help me to do it proper way because I am newbie in FG CLI.

    vusal_d
    New Contributor

    Yes

    I did that and it works well

    beltskyy
    New Contributor II

    vusal.d wrote:

    Yes

    I did that and it works well

    could you please be so kind and show the right steps to change staging ACME server? thanks a lot!