Unable to create Automated Provision Certificate with Fortigate

Hello, I tried to follow intructions from Fortinet to be able able to create an automated Certificate for SSL VPN purpose but it's not working...

Requirements were : Public IP address with Hostname in DNS and it's ok
ACME interface without VIPS or port forwarding in 80 and 443, that's why I choose my second WAN link where there is nothing about that.

My domain is: ssl-vpn.heligrafics.net

I ran this command: It's all automatized by Fortigate, put my domain the name of the certificate and an email address.

It produced this output:

From my fortigate I can ping lets encrypt without any problem, if someone can help on that topic It would be awesome !

Many thanks.

Hi @Dam, and welcome to the LE community forum

From the logs, I see: "sslvpn.heligrafics.net"

Q#1: What IP is on that second WAN link?
Q#2: What version of FortiOS?

when actually visit that page:

If you see this page it is because you have reached the default website.

This should not happen under normal circumstances. Probably you are trying to access your website using a name which has not been configured on your website, or your DNS record is not pointing to the right server.

think fortigate doesn't know about that subdomain?

Wow, this community is faster than the light ! haha

Yes, it was sslvpn.heligrafics.net, I added this DNS entry to my domain.

1 : 217.76.130.123
2 : We have the 7.0.11 right now

Many thanks rg !

Hello,

I just created an entry DNS resolving my Public IP, this hostname has to have a website page on it ?

Maybe I don´t understand how that thing works.

https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/822087/automatically-provision-a-certificate

When I read the Fortinet Documentation I don´t have the sensation to have to more that what I did,

Many thanks guys !

reading it makes me think that fortigate client is looking at forigate's hostname setup and only sign for that name?

add sslvpn subdomain as written there?
https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/707266/fqdn-addresses

FortiOS does things a bit non-standard for ACME.

What do you show in System Settings for ACME Interface?:

We have a virtual wan link, 2 differents providers. I put WAN2 as this one is not using VIP nor port forwarding as describe in the documentation :

"The configured ACME interface must be public facing so that the FortiGate can listen for ACME update requests. It must not have any VIPs, or port forwarding on port 80 (HTTP) or 443 (HTTPS)."

image919×363 8.52 KB

What is the IP on that WAN2 link?

217.76.130.123 as I told you before

Thanks !

Speak with Fortinet support.
IIRC, there was a problem with ACME and multiple WAN interfaces.
I don't remember which FortiOS was affected, nor which version fixes that problem.

Hello,

As you said on Friday I sent a support case to Fortinet, let's see what they will answer !

Keep you in touch !

Any news?

Hello @rg305, the support is very long to respond, they asked me for the configuration and I'm waiting...

Many thanks

Hello ! The problem is solved, I had a firewall rule using the port 443, the port which is using ACME, so we were able to make it work at the moment that we find it.

Nothing worked with the WAN2 so we did it with the WAN 1 !

Many thanks for your help everyone.

Have a nice day

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.