Let's Encrypt certificate problem with Fortigate firewall

Good morning,

I'm having a problem managing the certificate with the fortigate firewall. the new firmware version 7.0 has the ability to manage, create and renew certificates in ACME mode, only I always get an error:

Error (The key authorization file from the server did not match this challenge "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" != "xxxxxxxxxxxxxxxxxxxxxxxxxxx on Fri Oct 1 16:11:20 2021 (UTC)
does anyone have the opportunity to explain to me how to proceed?

thanks
Massimo

has the post been deleted? Because?

Yeah, I deleted it because I think what you're dealing with (trying to get a certificate on Fortigate) was actually different than the thread that I'd linked to (which was issues with Fortigate firewall SSL interception not liking sites that chained to the expired root). So I don't think my message was actually useful or correct, so I deleted it.

I'm not familiar with Fortigate myself, I was just trying to point related things together.

Hi @massimo.cantoni, welcome to the LE community forum :slight_smile:

7.0.1 is out now.
Be sure you read he changelogs and update as needed.

If this is your first attempt at this (very likely).
Don't overlook the basics.

  1. FQDN resolves to a specific IP - be sure FG is listening for ACME requests on that interface IP.
  2. If there are any NAT or proxies in line ahead of the FG, ensure the FQDN is not being altered.
  3. Always smile; It can be seen even while you type - bad packets fear this! - LOL
  4. If the opportunity presents itself, learn from all that you can - are there any packet captures that can be reviewed? Do you have generic flow diagram (to oversee the sometimes not-so-obvious)?

You may want to check out Fortinet and Expiring Let’s Encrypt Certificates

2 Likes

@Phil
Not likely needed until after they get a cert [and try to use it] - but stranger things have happened.

in the fortigate guide it would be enough to enter 3 parameters and the wan port where to accept the ACME renewal, but I can't understand what letsencrypt expects, if you need to create a txt file, modify the dns or other.

The FG will take care of the rest.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.