I found a document on the Internet here that I am reading now, from what I
understood on page 298 I have to upload the certificate of Lest’s Encrypt in Fortiweb so that Fortiweb accept this certificate because it doesn’t accept all the CAs certificates, but only those in it’s store
In any case I will continue reading and I will see
The part after “Uploading trusted CAs’ certificates” on the bottom of page 298 is for client certificate authentication!
You should read the whole bunch of text from “Secure connections (SSL/TLS)”, page 295, and onward. You’ll have to choose between “SSL offloading” and “SSL inspection”. See “How to offload or inspect HTTPS” on page 301 for more info.
Is let’s encrypt a root CA or an intermediate CA ?
for me let’s encrypt is an intermediate CA and the intermediaries (if we can say that) are:
TrustID Server CA A52
and
Iden Trust Commercial Root CA 1
isn’t it ?
I need to know that before uploading the server certificate in Fortiweb
You shouldn't use the certificate on https://letsencrypt.org/ itself as your example because that certificate, as it happens, is not issued by Let's Encrypt.
I have to upload in Fortiweb the certificate of my server and the certificate of the
intermediate CA that signed my certificate (ie: Let’s Encrypt)
You gave me the certificate of Let’s Encrypt it’s good thank you
Now, where can I find the certificate of my own server signed by Let’s Encrypt, I uploaded in fortiweb “chain.pem” but I think that this is
the LE certificate
Where can I find the certificate of my server signed by Let’s Encrypt ??
I tried to upload “cert.pem” and even “fullchain.pem” but Fortiweb don’t accept them
I read in the documentation of certbot that “cert.pem” contains the certificate of the server itself but when I try to upload it in Fortiweb it says “The
imported CA certificate is invalid”
In the Fortiweb documentation they wrote:
"You can import (upload) either:
• Base64-encoded
• PKCS # 12 RSA-encrypted
X.509 server certificates and private keys to the FortiWeb appliance. DSA-encrypted certificates are not supported if the FortiWeb appliance is operating in a reverse-proxy mode. "
I would like to know if the certificate I got from let’s encrypt matches this description
Thank you for the information, I finally uploaded the server certificate in Fortiweb, the problem was that I didn’t upload the certificate in the right place but now it’s ok and also when I enter The site https://elearning.univ-bejaia.dz in https://www.whynopadlock.com it shows that the certificate is valid and that it’s issued by Let’s Encrypt it’s super I progress, but the padlock is always yellow and I don’t know why the appearance of the site has changed , maybe I have misconfigured or I have not configured some things in Fortiweb, in any case I will continue my searches. The fortiweb is configured in reverse-proxy mode
I finally got the green padlock, thank you all for your help. I have another question to ask you, we have in the same server another site (logitheque.univ-bejaia.dz) but this one is accessible only by Intranet, I would like to know if it is possible to have a certificate from Let’s Encrypt for this site because logically we can’t use the elearning.univ-bejaia.dz certificate for the logitheque.univ-bejaia.dz site isn’t it?
You can get a certificate from Let’s Encrypt for an intranet site if the site has a name under a public domain, which is true in your case.
The only available method for this is the DNS-01 challenge. With this method, you prove your control over the domain name by creating certain specified DNS records as a part of the process of asking for a certificate. This might be easiest to do with a client like
or
which have more extensive support for this method than Certbot does. Depending on your DNS provider, you might have to add the records yourself when prompted to, or one of the clients may be able to use a DNS provider API to do this for you.
Unlike the other validation methods (which you used to get your existing certificate), this method doesn’t require allowing Let’s Encrypt to connect directly to your server.