UltraNote: Let's Encrypt certs in FortiOS 7.0.2
To stay sharp, I find myself rebuilding my lab from time to time. This latest run I did so with FortiOS 7.0.2. One of the first things I do is either import a trusted signed SSL cert into the device, or use Let's Encrypt to generate. You should be doing this as well, using self-signed or untrusted factory default certs opens you up to a man-in-the-middle attack, since you users (or you) have to click through the cert error. Also, operationally, it reduces the number of calls where a user might say "I was trying to VPN, but I got an error..." calls. Point is, thou shalt not use untrusted certs.
At any rate, I digress. Seeing as FortiOS 7.0.x supports using Let's Encrypt from the FortiGate directly (HOORAY! Gone are the days of screwing with python scripts and APIs for this) I decided to generate my device cert from there.
One thing I noticed very quickly is the cert name included (STAGING) and when I tried logging in I got "untrusted" errors. That left me puzzled, then in a discussion with a colleague they reminded me about the Let's Encrypt Staging environment - allows you to test without rate limiting (to make sure your acme client / config is good). So I decided to look at the CLI and noticed that the "set acme-ca-url" was set to Let's Encrypt's Staging environment "https://acme-staging-v02.api.letsencrypt.org/directory" where as the production environment is "https://acme-v02.api.letsencrypt.org/directory". I am not going to speculate on how we got here, only that it appears the "default" URL for the ACME2 CA is pointing at the staging environment.
Great, now that we understand the problem, how to work around it? the CLI!
Here's what you need to do to create the Let's Encrypt Cert in the CLI
config vpn certificate local edit "hostname" set enroll-protocol acme2 set acme-ca-url "https://acme-v02.api.letsencrypt.org/directory" set acme-domain "host.domain.local" set acme-email "firstname.lastname@example.org" next end
The key here, is "set acme-ca-url", you want to make sure this is set to the Let's Encrypt production URL. Also the following parameters:
enroll-protocol: set this to acme2
acme-domain: this is the hostname (and subject name of the cert) that you use to access the device
acme-email: this is the email used for notification by Let's Encrypt so make sure it's a visible account, not some spam bucket
NOTE: in testing via the CLI I noticed that the acme-ca-url is set correctly to the Let's Encrypt Production environment, though to be certain I added the URL manually. After that was done, the cert generated from the production environment with no issues.
Thank you for reading, I hope this was helpful.