FortiOS Feature Highlight: Let's Encrypt Certificate
FortiOS 7.0 has been released! Now, I know most of us are very cautious about this because in FortiOS .0 means ".NO you shall not upgrade in production" but we're not here to talk about this today. Just over a year ago I wrote "Let's Encrypt with FortiGate", today I am happy to announce that article is now obsolete!
With FortiOS 7.0 you can request a Let's Encrypt certificate from within the FortiGate, and in this article we'll cover how that's done.
As of the writing of this article I am running FortiOS 7.0, this is required for "Automated" certificate provisioning.
With the boring stuff out of the way, let's take a look at how this is done!
As of the date of this writing, the following requirements must be met for Let's Encrypt:
You need a DNS record that publicly resolves the FQDN you want to use in the certificate to an IP address you own (an A record or CNAME that host.domain.com -> x.x.x.x)
Proof of ownerhsip of the domain - generally a web server that can be reached by the FQDN mentioned above and can dynamically host the "random value" that Certbot/Let's Encrypt requests you present
Last but not least an ACME client to generate the certificate
In our lab environment we'll generate a certificate for dot5.ultraviolet.network.
Browse to System > Certificates > Import and Select type Automated
Set the following values accordingly:
Certificate Name: How you want the Certificate Name to appear in the UI
Domain: The FQDN you wish to provide the certificate for - this will be the Subject Name and CN on the certificate
Email: the email address you want to be associated with this certificate for notifications
RSA Key size, generally speaking the longer the key, the better. There is a downside to this, not all clients support 3072 and 4096 yet, so be mindful. I'm using 2048 in this example
Renew Window: when to start trying to renew the certificate, default is 30 days. We'll leave this untouched
You'll see that the cert is now there, but the comments are blank and a status of "unknown". Give this a bit of time (generally 30-60 seconds):
Once it's gone through the validation you should see a message that says "Renewed with ACME on DATE" - like below:
And that's it!
Somethings to take into consideration when troubleshooting:
If the FQDN you're attempting to generate the certificate for doesn't resolve to an IP present on the FortiGate, chances are it will fail.
If the certificate generation fails, read the comments section, it will generally tell you why
An additional note on this, last year you probably saw the "50K+ FortiGates vulnerable to man in the middle attack!". This solves that issue, at this point you should have no reason for not generating a trusted secure certificate for the FortiGate. You can even generate multiples for different services provided by the FortiGate (SSL VPN, etc..).
Thank you for reading, I hope this helps.