I'm having issues trying to find solid documentation / instructions on how I can auto renew the SSL certificate for FortiEMS. We currently renew via HTTP-01 but this relies on us letting Port 80 through the firewall at the time of renewal. To save any issues going forward I want to move to use DNS-01 challenge using Akamai Edge DNS.
I think we have to use Certbot to create the certificate which needs adding as a TXT record into Akamai, but the part I'm struggling with is how to set up the auto renewal? I've read somewhere about using the Akamai API, but I'm not sure how this works or how to set it up.
If anyone has done this before or has any pointers then they'd be greatly appreciated!
Yes FortiEMS uses its own ACME client. After doing some digging it only appears to support HTTP-Challenge, so I think DNS is out of the question. I think the only way is to leave port 80 open or allow it through when the time comes for renewal.
One suggestion I've had is to leave port 80 open but restrict the firewall policy to only allow LetsEncrypt's IP ranges. Do you know the IP ranges for LetsEncrypt so I can test this?
Let's Encrypt does not publish the IP ranges used. There are multiple centers around the world which rotate IP regularly.
Is it possible to request a cert outside of FortiEMS and upload it to that device? Such as using that lego ACME Client I suggested for the DNS Challenge?