Duplicate certificate?

My domain is: www.endospecialists.com

I can login to a root shell on my machine (yes or no, or I don't know): No

I just started with Let's Encrypt and the only way I can use is it is through the automatic cert creator built into the FortiOS of a Fortigate 60E firewall device. I'm a freelance IT support contractor who doesn't have access to the website domain itself.

When I attempted to create the certificate using the ACME client that is provided as part of the Fortigate device, it said the certificate failed. When I tried again, it said my domain was already in use. I'm not sure what to do. Should I separate from the Fortigate device and try to recreate the cert in Certbot?

Any help would be greatly appreciated!

Welcome to the community @bastion

That domain is setup in Cloudflare CDN. There is an HTTPS connection between the client (browser, ...) and the Cloudflare Edge. The Edge usually obtains its own cert for this purpose. This is probably the cause of your "domain in use" error. There is another HTTPS connection between the Edge and your Origin server. I am not sure where Fortigate is involved in your config but I'm guessing between the Edge and your origin server?

Cloudflare offers Origin CA certs for use in Origin servers. That may be simpler and easier than creating a Let's Encrypt cert for that purpose. I do not know how to setup one of those with Fortigate but perhaps the Fortigate forum could advise or perhaps another volunteer here might.
https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/

2 Likes

Yeah, as far as I know, your guess is right. The Fortigate is at the gateway of my client's corporate network but the website is externally hosted, so the firewall device would be between them. So I should just go to Cloudflare?

Thanks for the advice!

1 Like

Cloudflare is good place to start.

You are in the scope of "how do I design / configure a complex setup" which is generally beyond what we address in this forum.

2 Likes

Makes sense. Just to make sure I understand, if you can tell me, is Cloudflare the reason my first certificate creation attempt via ACME failed too?

I am not familiar enough with Fortigate to know exactly why your request failed. That's better a question for their support.

But, to obtain a cert from LE you need to demonstrate control of the domain name. That domain name is currently setup in Cloudflare.

I'm not sure you even need LE involved. But you can learn more here:

2 Likes

All right, thank you!

2 Likes

If the IP returned by the FQDN is managed by CloudFlare, then you would have trouble obtaining the cert anywhere behind CloudFlare. Not to say that it is impossible, it's just not straightforward/simple.
That said, then you would have to terminate the HTTP request at the firewall for that (secondary) IP.
[which is not common practice - the FW isn't normally run as a reverse proxy]
Soooo, you definitely need to speak with both CloudFlare and Fortinet about their recommendations/best practices (first).

1 Like

You should definitely be able to pass an http-01 challenge through cloudflare, it should be perfectly transparent.

ALPN I'd say is out of the question.

DNS validation, well, works fine on cloudflare.

I've found that NOT to be the case; They generally redirect all HTTP to HTTPS.

1 Like

So you'd have to serve your challenge on either port 80 or 443 depending on the cloudflare ssl settings (flexible or strict) and it can be hard to know which port beforehand (both individually, no redirects?)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.