Our VPN Cert is build through the integrated Let's Encrypt feature in FortiGate and should be valid for 90 days and renew with 30 days leeway (as far as I understand it). It has the ISRG Root and is issued by R3, however since I upgraded to 7.2 this is the first time the renewal has come about and it did not Auto Renew. I suppose I could rebuild a cert easy enough but I want to know if it will renew next time or if I will have to be on the lookout from here on out for expiring certs if I use FortiGate integrated Let's Encrypt.
I think this question might be better directed at FortiGate support since the issue seems to be with their implementation or the upgrade.
5 Likes
What is the error message shown on the cert?
system | certificates
<certificate> comments
2 Likes
It didn't error, as far as it looks it didn't even try.
its comment output is: "Renewed with ACME on Mon Oct 3 14:20:55 2022 (UTC)"
That seems like a definite upgrade "bug".
It should have tried to renew after 60 days... [some quik mafs...]
On Dec 2nd - ten days ago!
I would open a ticket with Fortinet.
And do keep us informed on the outcome - thanks
4 Likes
I have, and I will post end results. Thanks fellas!
3 Likes
After upgrading, if the ACME setting have more than one WAN interface assigned it will not reach out to the letsencrypt servers at all, not even to remind you that your cert is near expiration. As fault tolerance, I have two ISP's assigned, Causing this issue.
Solution: Only ever assign 1 WAN port to the ACME setting within your Fortigate. It will allow multiple, but will not function as designed. (Note: This is not a setting you can see within the GUI. you must find and edit within the CLI)
4 Likes
So, it was already failing to renew before the upgrade (due to the multiple WANs)?
OR
Did this problem surface in this new version?
And thx for getting back on this 
3 Likes
It worked on a previous version in October, I would have been on 7.0.
Which version upgrade made this non-viable I couldn't say definitively. The jump to 7.2, or a smaller update is unclear. What I can confirm to the community is that on 7.2.3 it will not work with the ACME setting allowing multiple WAN interfaces.
1 Like
Since you mentioned the October timeframe; but this took effect on September 15, 2022.
2 Likes
I looked into that right away. I was already using the v02.api address ruling out this as my issue
"when": "Sun, 02 Oct 2022 15:20:01 GMT",
"type": "progress",
"detail": "Contacting ACME server for vpn.redacted.com at https://acme-v02.api.letsencrypt.org/directory"
2 Likes
Can you attach the actual CSR to a post?
2 Likes
It's not a SHA-1 issue.
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.