How to recreate a certificate on Fortigate FOS 7.0.1

Help
#1

Hello,

I well configured the certificate on my appliance Fortigate 100F, by following the procedure on the Fortinet official website. Everything was good !

Then, for "teaching" my coworkers, I deleted all "Let's Encrypt" generated certificates on the appliance. And try do the procedure again. It is not working anymore. I have an error every time I'm trying. The message :
"Error (Unsuccessful in contacting ACME server at https://acme-v02.api.letsencrypt.org/directory"
But I can ping it ...

How can i do for it work again please ?

#2

Hi @NicoB welcome to the LE community forum :slight_smile:

Were there are rules using the cert you deleted?
Was anything using it?

#3

Hello,

Nothing.
I was going to apply it on my SSL portal in 2 week. It was in stand by.

#4

Hi @NicoB,

It's very possible that you're encountering a client software problem now that the old root certificate has expired (at the end of September 2021). If so, the software on your Fortigate appliance itself may need to be updated so that it accepts the new certificate.

A less likely problem for this API is

https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

(since the Let's Encrypt API is serving the short chain rather than the long chain), while a more likely problem is having an outdated root certificate store that doesn't including ISRG's X1 root certificate.

I don't know how much visibility or control Fortigate gives you on software updates, but you might want to look into that and ask them if there are software updates available that could bear on compatibility with ISRG's root.

#5

Have a look at:
https://kb.fortinet.com/kb/documentLink.do?externalID=FD49028

#6

Hello,

Thx for the link, but I'm not sure this will help me here.
As I said before, I didn't use it (certificate) anywhere. It was just created and I whish to implement on th 16 October. So it was just in "stand by".

But now, I deleted it to do the procedure again to show and teach it to my student coworker.
Unfortunately, I'm doing the exact same procedure and it is not working anymore.

So my question is, is Let's Encrypt has a cache on their side (with domain name or mail address, or something else) which identifying/recognize my appliance and it don't want it anymore ? Do I have to wait some time for the cache to be flush on the Let's Encrypt side ?

Thx for help,

1 Like
#7

No and no.

#8

I have just faced with the same problem. I was doing last night some training, then after successful getting the certificate, I deleted it and since that time I can't get new certificate. The log of Fortigate is showing the same message. Have you resolved the problem?

#9

Hello,

I opened a ticket @Fortinet.
They gave me 2 links :

and
https://kb.fortinet.com/kb/documentLink.do?externalID=FD53305

Not far away from rg305 link.

You can try it from your side. It didn't work for me.
Except that I do not try to put all my rules to "flow-based" for 2 reasons :

  • I have more than 1000 rules ...
  • I did not use the certificate anywhere ...

My Fortinet ticket has been escalated. I'm waiting for them now.

#10

You could try to make one rule above all others with only one specific source and only one specific destination.
Then "play" with that one rule until they can connect.

#11

there was another trick found buy people one reddit, remove dst root from store and dns blackhole apps.identrust.com to stop Fortrinet from get issuer from isrg-signed by dst certificate that long chain has. (then clear cache and restart)
https://www.reddit.com/r/fortinet/comments/q1ug0n/lets_encrypt_fiasco/

1 Like
#12

could you please keep us informed about Fortinet ticket reply? thanks a lot!

1 Like