I just wonder how one would or could implement a WAF URL filter (?) with Fortigate board utilities for Let's Encrypt renewals? That is, how would a policy have be setup to allow Let's Encrypt to access an internal webserver to get the renewal token as per HTTP-01 challenge?
Sometime ago, I played around with a Web Profile that would only allow the regex
.*\/.well-known\/acme-challenge\/.*
I never got it working reliably, so I basically turned to Fortigate's own LetsEncrypt method.
However, I still have some cases where a policy that would allow port 80 for renewals, with proper restrictions, would help.
For example, my (not really working) example policy is allowing HTTP access to an internal machine for that renewal, but only allowing it from "acme-v02.api.letsencrypt.org" and with a webfilter that allows only
.*\/.well-known\/acme-challenge\/.*
Does not really work.
If someone has (for educational purposes) a complete example that works.,. I would appreciate.
Dan
Hello @dan ,
can you create an address object for lets encrypt server and try to create a URL filter with allow .*\/.well-known\/acme-challenge\/.* and add it to the firewall policy.
That is what I have done, described in my post.
And that's what did not work...
That is why I ask
How to allow Let's Encrypt traffic through the FortiGate to devices located behind the FortiGate - "For the HTTP-01 challenge, it is possible to add additional protection by configuring a Web Application Firewall (WAF) profile on the FortiGate"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1752 | |
1115 | |
766 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.