LE for FortiGate Firewall Hardware Appliance

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vpn.position2.com

I ran this command: install certbot

It produced this output: Unknown action 0

My web server is (include version): not a web server

The operating system my web server runs on is (include version): FortiOS-v6.2.4 build1112 (GA)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I'd like to use the LE for VPN connectivity purposes through our FortiGate Firewall - Is it feasible in the first place? If yes, how would I get the LE SSL generated on/for our FortiGate firewall device? I'm stuck at this point. Please help.

Regards,
Prabagaran L.

While you can install any certificate from any CA on a Fortigate device, as far as I'm aware, there are no ACME integrations available for FortiOS. At least, not any that would run on the actual Fortigate device.

You can probably still script something up yourself, where a second Linux server performs all the steps to obtain and install the certificate to the device.

You need to do two things:

  1. Obtain the certificate. Since you use Dyn, you could probably automate this using the DNS challenge with an ACME client like acme.sh or lego.
  2. Once you've obtained (or automatically renewed) the certificate, you need a hook for the ACME client that will actually log into your firewall and install the obtained certificate. There appear to be a handful of community solutions which do this. This one seems pretty good.

If that seems like too much work, you could also just stick to buying a cheap certificate from another CA and installing it manually once a year. At least, until FortiOS comes up with its own integration.

2 Likes

Thank you!

I'm fairly new to APIs. Let me check out your recommendations and post the results.

Meanwhile, could there be any other alternatives?

1 Like

A manually processed DNS authentication followed by a manually installed cert.
[but that cert will only last 90 days - so automation is the key component here]