Error: Failed to connect to x.x.x.x:443 for TLS-SNI-01 challenge

No, that is because you've entered an IP address in the address bar (and not a hostname) and that IP address isn't present in the certificate. As long as you don't enter a hostname present in the certificate, a browser will complain. That's the whole idea of HTTPS :wink:

Right, Let’s Encrypt certificates are never expected to be accepted if presented to a client that accessed the site directly by IP address, instead of using a domain name. The certificates only certify the association between DNS names and cryptographic keys, not between IP addresses and cryptographic keys. Thus, if you’re not using the DNS names, the certificate doesn’t offer information that the client can confirm matches the identity of the host it’s connecting to.

This might sometimes be different with some certificates from some other CAs, but our certificates’ behavior in this regard is definitely the more common behavior overall!

OK then I will ask the DNS manager to point the IP address to the HTTPS to see what it gives

The DNS manager showed the DNS configuration and I saw this line

Elearning IN A x.x.x.x (my local IP address)

The DNS was already pointing to the server long before I was using Let’s Encrypt, I misunderstood, I thought we should configure the https in the
DNS, the DNS manager told me that the DNS has nothing to do with the https

Do I need to add the Let’s Encrypt certificate to the Fortiweb ?

That totally depends on the actual function of the Fortiweb firewall. Does it play an active role in terminating connections? Or is it used as a passive firewall, just letting stuff through to the one server behind it and blocking unwanted connections? Or is it also used as a load balancer between multiple webservers?

The fact a webbrowser will end up on your "E - Learning" site when accepting the Fortiweb certificate indicates, outside of the certificate issue, the Fortiweb is properly configured.. Just not for TLS.

Edit:
Ah, the FortiWeb supports "SSL offloading":

Blazing Fast SSL Offloading
FortiWeb is able to process up to tens of thousands of web transactions by providing hardware accelerated SSL offloading in most models. With near real-time decryption and encryption using ASIC-based chipsets, FortiWeb can easily detect threats that target secure applications.

That's probably the reason it presents the FortiWeb certificate. Unfortunately, I can't find a comprehensive manual for the FortiWeb, so you're on your own for that I'm afraid.

I found a document on the Internet here that I am reading now, from what I
understood on page 298 I have to upload the certificate of Lest’s Encrypt in Fortiweb so that Fortiweb accept this certificate because it doesn’t accept all the CAs certificates, but only those in it’s store

In any case I will continue reading and I will see

thanks a lot for all these informations

The part after “Uploading trusted CAs’ certificates” on the bottom of page 298 is for client certificate authentication!

You should read the whole bunch of text from “Secure connections (SSL/TLS)”, page 295, and onward. You’ll have to choose between “SSL offloading” and “SSL inspection”. See “How to offload or inspect HTTPS” on page 301 for more info.

1 Like

Ok, I will thank you

Is let’s encrypt a root CA or an intermediate CA ?
for me let’s encrypt is an intermediate CA and the intermediaries (if we can say that) are:
TrustID Server CA A52
and
Iden Trust Commercial Root CA 1

isn’t it ?

I need to know that before uploading the server certificate in Fortiweb

Let's Encrypt is an intermediate CA. For most users, the intermediate certificate is

https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

which contains X509 data identifying

   Issuer: O=Digital Signature Trust Co., CN=DST Root CA X3
   Subject: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3

You shouldn't use the certificate on https://letsencrypt.org/ itself as your example because that certificate, as it happens, is not issued by Let's Encrypt.

Hello,

I have to upload in Fortiweb the certificate of my server and the certificate of the
intermediate CA that signed my certificate (ie: Let’s Encrypt)

You gave me the certificate of Let’s Encrypt it’s good thank you

Now, where can I find the certificate of my own server signed by Let’s Encrypt, I uploaded in fortiweb “chain.pem” but I think that this is
the LE certificate

Where can I find the certificate of my server signed by Let’s Encrypt ??

I tried to upload “cert.pem” and even “fullchain.pem” but Fortiweb don’t accept them

Thank you for your help

I read in the documentation of certbot that “cert.pem” contains the certificate of the server itself but when I try to upload it in Fortiweb it says “The
imported CA certificate is invalid”

In the Fortiweb documentation they wrote:

"You can import (upload) either:
• Base64-encoded
• PKCS # 12 RSA-encrypted
X.509 server certificates and private keys to the FortiWeb appliance. DSA-encrypted certificates are not supported if the FortiWeb appliance is operating in a reverse-proxy mode. "

I would like to know if the certificate I got from let’s encrypt matches this description

cert.pem contains a base64-encoded X.509 certificate for your site.

Thank you for the information, I finally uploaded the server certificate in Fortiweb, the problem was that I didn’t upload the certificate in the right place but now it’s ok and also when I enter The site https://elearning.univ-bejaia.dz in https://www.whynopadlock.com it shows that the certificate is valid and that it’s issued by Let’s Encrypt it’s super I progress, but the padlock is always yellow and I don’t know why the appearance of the site has changed , maybe I have misconfigured or I have not configured some things in Fortiweb, in any case I will continue my searches. The fortiweb is configured in reverse-proxy mode

That's what whynopadlock.com is for! It checks why your site doesn't have a green padlock.. And when you enter your site and check it, it says:

Total number of items: 83
Number of insecure items: 80
HUGE LIST OF INSECURE URLs

Please read the FAQ for more info: Frequently Asked Questions - Why No Padlock?

1 Like

Ah ok, sorry, it’s so obvious, I did not pay attention to that thanks

1 Like

hello,

I finally got the green padlock, thank you all for your help. I have another question to ask you, we have in the same server another site (logitheque.univ-bejaia.dz) but this one is accessible only by Intranet, I would like to know if it is possible to have a certificate from Let’s Encrypt for this site because logically we can’t use the elearning.univ-bejaia.dz certificate for the logitheque.univ-bejaia.dz site isn’t it?

You can get a certificate from Let’s Encrypt for an intranet site if the site has a name under a public domain, which is true in your case.

The only available method for this is the DNS-01 challenge. With this method, you prove your control over the domain name by creating certain specified DNS records as a part of the process of asking for a certificate. This might be easiest to do with a client like


or

which have more extensive support for this method than Certbot does. Depending on your DNS provider, you might have to add the records yourself when prompted to, or one of the clients may be able to use a DNS provider API to do this for you.

Unlike the other validation methods (which you used to get your existing certificate), this method doesn’t require allowing Let’s Encrypt to connect directly to your server.

1 Like

Thank you very much for all these information as soon as I have time I will try to do it

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.