Foritgate DDNS & LetsEncrypt

This is a question about using certbot for auto renewal in the following situation:

Lets say we have domain and also a fortigate firewall 60D running FortiOS 6.04 (7 not available on this device).The fortigate is the gateway for a dynamic IP for the main office so we have got the foritagte setup to register to resolve the changing dyamic IP.

There is a webserver for the website but its hosted elsewhere (not on premise).

The workgroup computers are on a Azure AD domain - there is no on premise server. I want to setup a SSL VPN but need to get certbot running for the cert renewals.

Now could this be done with a VMWare Ubuntu workstation running behind the firewall? Dont worry about uploading the cert to the Fortigate - there is a script for that, I just need to automate the renewal - but the cert bot download tool asks question about the www server which I dont know the answer too.

I presume I also need a way to verify ownership of the DDNS domain (which I cant change the records?)

I am assuming if I setup a Ubuntu 20.04 VM to host cert bot, I would also need a web server on the VM to host the cert for ownership verification as well?

How to proceed here?

Welcome to the community @bigal_nz

Maybe. Yes, you must demonstrate control of the domain name to get a cert. For this, the two most common ways are the DNS challenge or HTTP challenge.

Port 80 must be open in the firewall to receive the HTTP challenge. Certbot has a standalone option to be the webserver only to process these challenges. It saves the trouble of setting up nginx or Apache for example. The URL format of these challenges from the Let's Encrypt servers to you is always the same so if your firewall allows you could allow just that format instead of all URLs inbound on port 80.


For DNS challenge you need to update a TXT record value in the DNS zone. There are various plug-ins for DNS providers to automate this. See the certbot docs for list. Another acme client supports many more DNS providers. You can add the TXT record manually but this becomes tedious quickly as the certs expire in 90 days and recommendation is renew after 60 days (maybe 75) to allow time to recover from problems.


Right - I like the sound of not having to setup my own webserver.
So I should download certbot and use the embedded webserver.
Is the verification a onetime step, or must the verification be repeated everytime the renewal happens?

Must be done on each renewal.


So I need to permenantly leave port 80 open?
I can restrict it to geoblocked, or even a IP if I know where your requests from from.

That won't be possible.
You should leave it open at the firewall and just don't use it - only let your ACME client turn on when needed.


Might want to see:

What IP Addresses does Let's Encrypt use

ACME Challenge types

Certbot Standalone


Who hosts your DNS nameservers (self hosted, Azure, AWZ Route 53, GoDaddy etc)? For general purpose certificates when http challenges may be problematic, DNS validation is sometimes easier - it just depends on how your actual DNS for your domain is hosted.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.