Helpful ReplyHot!Let's Encrypt and FortiGate

Page: 12 > Showing page 1 of 2
Author
Alby23
Gold Member
  • Total Posts : 165
  • Scores: 9
  • Reward points: 0
  • Joined: 2016/06/24 08:57:33
  • Status: offline
2016/12/13 00:57:56 (permalink)
0

Let's Encrypt and FortiGate

Do u know if it's possible to use a Let's Encrypt-generated certificate into the FortiGate for the VPN Portal?
#1
Iescudero
Silver Member
  • Total Posts : 107
  • Scores: 8
  • Reward points: 0
  • Joined: 2015/01/21 13:34:23
  • Location: Buenos Aires, Argentina
  • Status: offline
Re: Let's Encrypt and FortiGate 2016/12/13 02:35:47 (permalink)
0
Hello!
The answer is yes! of course you can use any certificate that want, just be carefull how you create the certificate and the CA chain must be present. If the CA is present in the browser's client, then you'll be fine.
 
Bye!
#2
Alby23
Gold Member
  • Total Posts : 165
  • Scores: 9
  • Reward points: 0
  • Joined: 2016/06/24 08:57:33
  • Status: offline
Re: Let's Encrypt and FortiGate 2016/12/13 04:39:42 (permalink)
0
I'm talking specifically about Let's Encrypt. It's something different in the way you create the Certificate (and of course the CA us trusted).
#3
Nils
Silver Member
  • Total Posts : 89
  • Scores: 10
  • Reward points: 0
  • Joined: 2016/01/26 00:04:58
  • Location: Sweden
  • Status: offline
Re: Let's Encrypt and FortiGate 2016/12/13 04:56:30 (permalink)
0
From my understanding, you just need to have a web-server available when you create the certificate to verify ownership of the domain-name/IP. Just create a CSR on the Fortigate first.
Then you'll get a regular certificate to import at your fortigate..?
 
 
#4
mhe
Gold Member
  • Total Posts : 288
  • Scores: 4
  • Reward points: 0
  • Joined: 2004/06/18 07:19:31
  • Location: Switzerland
  • Status: offline
Re: Let's Encrypt and FortiGate 2016/12/13 05:12:14 (permalink) ☄ Helpfulby Alby23 2016/12/13 06:12:34
0
No, I don't think that you can use LE certificates. You need their app on the device to use it. But you can use startssl

FCNSP 2.5 - 5.0
#5
emnoc
Expert Member
  • Total Posts : 5301
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Let's Encrypt and FortiGate 2016/12/13 05:27:10 (permalink) ☄ Helpfulby Alby23 2016/12/13 06:12:37
0
Mhe has it right.
 
Natively the answer is NO, but you have ways around this. Use a linux bistro build a csr/priv-key sign the csr and then export , re-import it in fortigate.
 
Yes any x509 compatible certificate will work in  a fortigate but the native means of "let's encrypt" make it not a 1 2 3  easy-do  method.

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#6
NeilG
Silver Member
  • Total Posts : 72
  • Scores: 4
  • Reward points: 0
  • Joined: 2014/03/04 11:00:39
  • Status: offline
Re: Let's Encrypt and FortiGate 2016/12/13 14:58:20 (permalink) ☄ Helpfulby train_wreck 2018/01/27 01:23:38
0
The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.
"Our certificates are valid for 90 days. You can read about why here."
https://letsencrypt.org/docs/faq/
 
-N
#7
jtfinley
Gold Member
  • Total Posts : 189
  • Scores: 0
  • Reward points: 0
  • Joined: 2008/08/11 13:07:10
  • Status: offline
Re: Let's Encrypt and FortiGate 2016/12/13 15:29:06 (permalink) ☄ Helpfulby Alby23 2016/12/14 01:46:40
0
So here's what I did using a raspberry pi, but can be easily used on other platforms...
 
 

  1. Install letsencrypt (https://letsencrypt.org/getting-started) on a box with tcp/80, tcp/443 open. (Raspberry Pi - used CertBot)
  2. Temporarily point a DNS A or CNAME record of your (Raspberry Pi Box) SSL VPN at the box you're going to run letsencrypt on.
  3. Once it pulls dependencies - Run letsencrypt using example below.
    1.  ./certbot-auto certonly --standalone -d vpn.yoursite.com -d [
  4. Change DNS records if required by pointing your DNS A record back at your SSL VPN IP
  5. Grab your pems from /etc/letsencrypt/live/vpn.yoursite.com (cert.pem & privkey.pem)
FortiGate:
  1. System -> Config -> Certificates -> Import -> Local Certificate. Set type to Certificate. For certificate choose cert.pem and for key choose privkey.pem
  2. VPN -> SSL -> Settings. Change Server Certificate.
  3. Repeat process every 90 days
  4. Setup CronJob to renew it.
#8
emnoc
Expert Member
  • Total Posts : 5301
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Let's Encrypt and FortiGate 2016/12/13 18:42:39 (permalink)
0

The problem with the manual import is that you will be running the manual process probably 5 times a year as letsencrypt issuance is 90days.

 
Any thing free has limits, restrictions,etc...
 
i use caCert btw. Interface is small and password recovery is difficult at best some times. You get 6months and be advise most browsers still don't have the cacert chain in trust & you can craft  client certificates no add-on programs or other dependencies just issues and paste a  CSR.
 
 
 
Ken
post edited by emnoc - 2016/12/13 19:01:23

Attached Image(s)


PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#9
BrainWaveCC
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/03/22 15:22:03
  • Status: offline
Re: Let's Encrypt and FortiGate 2017/10/24 08:59:01 (permalink)
0
Yes, you can use Let's Encrypt.  For now, you have to do it manually, but I am investigating a way to do it semi-automated and I'll share it if it works.
#10
Psychodata
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/29 14:02:16
  • Status: offline
Re: Let's Encrypt and FortiGate 2018/01/22 13:16:09 (permalink)
0
For anyone finding this I was able to load up a CentOS 7 and used DNS verification. 
 
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto -d vpn.domain.com  --manual --preferred-challenges dns certonly
 
It asks some questions, the end is below. 
 
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you're running certbot in manual mode on a machine that is not
your server, please ensure you're okay with that.
Are you OK with your IP being logged?
-------------------------------------------------------------------------------
(Y)es/(N)o: Y
-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.vpn.domain.com with the following value:
hFBS2IaC5exxxxxxxxxxxxLptVhZRSBi2_DNxrJmiAZDor8
Before continuing, verify the record is deployed.
-------------------------------------------------------------------------------
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Obviously, before I pressed enter to continue I hopped over to my DNS provider (in my case godaddy) and created the TXT record. I also switched to a different session on the box that I'm running certbot on and made sure I could resolve the verification text, since DNS may take a bit to propagate
dig -t txt _acme-challenge.vpn.iplaybaby.com | grep "hFBS2IaC5exxxxxxxxxxxxLptVhZRSBi2_DNxrJmiAZDor8"
Then I switched back to my regular console and pressed enter, it verified and spat out my certs to /etc/letsencrypt/live/hostname/stuff

 
SCP'd those certs down. 
 
Popped up the fortigate admin pane, System -> Certificates (I had to System -> Feature Visibility -> Enable Certificates and save for this to show up) -> I did Import -> Local Certificate -> Certificate. I used the Fullchain.pem (to be safe in case the fortigate didn't trust the LE CA or whatev. and the privkey) 
[image]blob:https://imgur.com/781beaa...4f92-87fc-7fe5c0b5d1cb[/image]
 
Then I just had to go to VPN -> SSL VPN Settings -> Change the certificate 

 
Et voila! 
 
LE has some stuff around for setting up renewals too. My next venture will be seeing if I can figure out how to install the cert at the SSH of the fortigate or something. On other linux boxen I've done it with SCPing the cert to the host and then installing it. Thinking maybe I can do similar with the fortigate. 
 
Anywho, good luck fellow interneters. and remember the wisdom of XKCD, 

All long help threads should have a sticky globally-editable post at the top saying 'DEAR PEOPLE FROM THE FUTURE: Here's what we've figured out so far ...'
 
 
#11
Agent 1994
Silver Member
  • Total Posts : 73
  • Scores: 10
  • Reward points: 0
  • Joined: 2016/08/03 09:15:51
  • Location: Rosario, Santa Fe, Argentina
  • Status: offline
Re: Let's Encrypt and FortiGate 2018/01/23 05:09:49 (permalink)
0
The problem is that they need you to use their tool, certbot and it wont run on FortiGate.
There's also a manual mode, but AFAIK you cant upload custom files neither.
 
What would i do? I'd set a Virtual IP on 80/443 pointing to a server under your contro, where you can run certbot. Once the VIP is active, i'd run certbot, get the certificate and then import them on FortiGate.
 
The problem? You would have to do this every three months.
 
#12
emnoc
Expert Member
  • Total Posts : 5301
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Let's Encrypt and FortiGate 2018/01/23 07:29:45 (permalink)
0
I agreed with agent1994 and that exactly how we do it. We use a VIP that we stroke for the  DNS check and then  reuse that  ip.addr for the  SSL-TERMINATION point on a loopback,
 
It's a b#$#$@ that we have to  do this, but we  go thru the process every 3months and just take the SSLVPN for 15mins to re-import a certificate, but it works out very good for us.
 
Ken

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#13
Psychodata
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/12/29 14:02:16
  • Status: offline
Re: Let's Encrypt and FortiGate 2018/01/23 08:47:21 (permalink)
0
So I found and tested this method. 
http://kb.fortinet.com/kb/documentLink.do?externalID=FD35074
 
still working on it, but it looks like I can SSH to the Fortigate and apply the SSL cert this way 
 
just gotta work out the part about running the commands in the SSH session and passing it the certificate
 
#14
emnoc
Expert Member
  • Total Posts : 5301
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Let's Encrypt and FortiGate 2018/01/23 13:23:33 (permalink)
0
if your this far, than your golden &  just need to  build a script and add the PEM format cat it into  fgt
 
e.g ( my filename == LETENC)
 

config vpn certificate local
 edit fgtLetsEncrypt
set private-key "-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC0580JLqtyx8NY
J12uvTZrYNJxyio3GmWJKvL+SPwY8c056WofC8OVOYOGCIBieb9cV87mnTQrwH/r
Vk4kXJQtRru7fsW6pX0fFrAXuBluJ8F2wrN3cuxajaHlj0ZJ4eDKeOc8YiUbE9ow
Wj+TpetXNKmNddCAqVJOnHrkHN5Fy4x9hUq3XroSIHHAaerwYYyZHpXkaAPnuhUZ
7Kc59dty/8dswGpy8daosPlldXlfrSJe+KkMuLY5IlkqRwyA/LQRvOY0wereI6GQ
bF1Hi2GcZfnr0auzkTrF//HCcrx3dYHAZwxXkuwDQUAYehry2NGI4q0bMxkS/1hL
lpkW65uZAgMBAAECggEANm50k+m17oBKt5CIsJX/9MkaKODCWPgZSu9gU8CUEdFX
hbBEnPjGLXUzrLWMI5UsTdWhzGPKmct+8clzE5/DeegJfn3DcshuYFdMPqbHCAzw
OhKVO0CZ+xkYeGDmrj5Hi8RbFyEUtxP/F4NgE8XdjMyso4KqbLwFpt+QXmiNPIRj
ixsprTurtnLQ1sfM5+K7Q8tqnuVXPt8oawssONsL3YeXcMDn7YOIEFvJurQAEl6w
05CK07fA2ED2KixcTNtMKdBbIiqgQ78Y2mwzdEhZNFhW7uOzNXiylvCDF0zyZoN8
s/XB6a6s/hGp8QOn6FcNX01bdzJKuyEcW0zh5wPOcQKBgQDlPpggSq5paLlABr0f
9DEe7D3QaYX0fZYdHouOTo9AW+C/ht7grkus3xFPfCU6US2QSxbM0D9L3NJ4OBe6
3XwAd0ezkgZZBA3cEHnLr/30cTEgnLclvZJBSOYsz5c40u3TJVDUrNMRnqP4GgPf
KfhZST8UmbzDpAPQtFLJFwpVJQKBgQDKBOzEHjtHiJb3O1kPe/4eobD6UHhUZny5
wTKNTnCoZxzjnuOD/59Gaku7OTlB5R0Ovo6gAeqGGpj9esdjfJYzPrECJxDBMaI4
Znmw8C+VU8ucIgiRPYsRHxFbOO+daCMoEDiVYZlTVySiuB2NP9J3J0meIgTNtcPA
PaGbk/K0ZQKBgAkr7e4szrmM5Qx4uIxUurpf/UEfV6qmc6EKnc69ueF7S4yeGsCm
eIScEBc8AklJAiepuWnMUxv347vHkrt5LQLfwtCeYP6iuOM7DYRmsCRdevexDWrH
INjXz82vKH+vgLBX59n6aB9mV20PrWP6S+NWmN18IR86qqRo8n71Gwa5AoGBAMHn
8j7Yabvirk0GKRkEwWkzGAVb4fPZH5TIjTY2+UmbF46f/u+/F2lmM+S0K3JFcRuq
6olI7Yvk0b5T8Dhc6GqtnQdc6ecWNgf+zIV6NaIWeVQXErQeJ3K6qFUwFEa5Iy2c
TEOOF7Z36ZFKOgtWHDwEeNQRAR1Wf1rxjUIgwxBFAoGBAJnxtzt8q7WIj1m1qZPZ
QrPZEY9MfAvXsczB1DfZ7sN5TlxdHv4sbMNU4EZSvAD6xKmbnaySQ80lTKwL+TgA
NSQZGZkqr431ueeEE1XXz9A4jh9Pc4svgUdp9QJNjTELEcGqjCujfBxq2EMPwINo
RZw/BxTiQ96y1HkVLkIUvx2l
-----END PRIVATE KEY-----"

set certificate "-----BEGIN CERTIFICATE-----
MIIFezCCBGOgAwIBAgIQCVV51wmtzlQAAAAAUN85OjANBgkqhkiG9w0BAQsFADCB
ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT
H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy
MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG
A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0x
NzEyMDEyMDI3MDNaFw0xODEyMDEyMDU3MDJaMIGGMQswCQYDVQQGEwJVUzEOMAwG
A1UECBMFVGV4YXMxDzANBgNVBAcTBkF1c3RpbjEgMB4GA1UEChMXUHVibGljIENv
bnN1bHRpbmcgR3JvdXAxDDAKBgNVBAsTA1BQTDEmMCQGA1UEAxMdc2J0ZXN0LnB1
YmxpY3BhcnRuZXJzaGlwcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC0580JLqtyx8NYJ12uvTZrYNJxyio3GmWJKvL+SPwY8c056WofC8OVOYOG
CIBieb9cV87mnTQrwH/rVk4kXJQtRru7fsW6pX0fFrAXuBluJ8F2wrN3cuxajaHl
j0ZJ4eDKeOc8YiUbE9owWj+TpetXNKmNddCAqVJOnHrkHN5Fy4x9hUq3XroSIHHA
aerwYYyZHpXkaAPnuhUZ7Kc59dty/8dswGpy8daosPlldXlfrSJe+KkMuLY5Ilkq
RwyA/LQRvOY0wereI6GQbF1Hi2GcZfnr0auzkTrF//HCcrx3dYHAZwxXkuwDQUAY
ehry2NGI4q0bMxkS/1hLlpkW65uZAgMBAAGjggGtMIIBqTAOBgNVHQ8BAf8EBAMC
BaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwMwYDVR0fBCwwKjAooCagJIYiaHR0cDov
L2NybC5lbnRydXN0Lm5ldC9sZXZlbDFrLmNybDBLBgNVHSAERDBCMDYGCmCGSAGG
+mwKAQUwKDAmBggrBgEFBQcCARYaaHR0cDovL3d3dy5lbnRydXN0Lm5ldC9ycGEw
CAYGZ4EMAQICMGgGCCsGAQUFBwEBBFwwWjAjBggrBgEFBQcwAYYXaHR0cDovL29j
c3AuZW50cnVzdC5uZXQwMwYIKwYBBQUHMAKGJ2h0dHA6Ly9haWEuZW50cnVzdC5u
ZXQvbDFrLWNoYWluMjU2LmNlcjBLBgNVHREERDBCgh1zYnRlc3QucHVibGljcGFy
dG5lcnNoaXBzLmNvbYIhd3d3LnNidGVzdC5wdWJsaWNwYXJ0bmVyc2hpcHMuY29t
MB8GA1UdIwQYMBaAFIKicHTdvFM/z3vU981/p2DGCky/MB0GA1UdDgQWBBR5IxFF
bMXRqzauIqKQ1iMnuwCd7zAJBgNVHRMEAjAAMA0GCSqGSIb3DQEBCwUAA4IBAQDO
mOGvvwiNhrGuF0NTIhrBlcmaWu7Df4yHCVnFWASCkW/ueRinLrXtp2uZxRD7izJZ
ffp5qzdjiROtnkm1WNpI4jhnr8w1pHTjcMgpbZm2YnCk/b1u7CBGDtXykAcdNrj1
yZNZx3QZaNZnaWNnZ40YM/+5xjK1OJtNKa8y6Mt+YuVy3BeLqK1vfw4cue0j0Nbh
FbcQaTRWKtIyTu4s4fdebtsUEqwSZYxrL1l5VEuBn3l+yIBvBsWEOTEa1YjmL0Pd
ReEDsIR6ZuXIVi1eX7YAIrYEp2JTvzWZYfBqOc/YsUB7J1xZQGRNRnHqK2furyko
VLFU4qHPO+O6WMMFUn8z
-----END CERTIFICATE-----"
end
 
and finally you run it;
 
cat LETENC | [link=mailto:kfelix.socpuppets@1.1.1.1]kfelix.socpuppets@1.1.1.1[/link]
 
This will copy the content into the local CERTstore priv-key and x509-cert
 
Ken
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#15
emnoc
Expert Member
  • Total Posts : 5301
  • Scores: 347
  • Reward points: 0
  • Joined: 2008/03/20 13:30:33
  • Location: AUSTIN TX AREA
  • Status: offline
Re: Let's Encrypt and FortiGate 2018/01/23 13:26:28 (permalink)
0
TIP :  Also make sure you  use " " for the priv-key 1st and then then the "cert". You can hack up the LETENC  seedfile with sed/awk whenever your  certificate and key changes and repeat every 3 months or so.
 
I use this same above approach when mass blasting free CAcert.org also btw.
 
Ken
 
 

PCNSE,  NSE , Forcepoint ,  StrongSwan Specialist
#16
Infantryman
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/01/25 16:08:51
  • Location: Canada
  • Status: offline
Re: Let's Encrypt and FortiGate 2018/01/25 16:50:35 (permalink)
0
Yes, it is. It is even possible with a self-signed certificate.
 
1- Go under: System --> Certificates then Import your certificate & CA.
2- Go under: VPN --> SSL --> Settings --> Connection Settings --> Server Certificate then choose the Let's Encrypt certificate.
 
#17
cookem
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/04/25 09:46:57
  • Status: offline
Re: Let's Encrypt and FortiGate 2018/04/25 10:18:12 (permalink)
0
anyone have any luck creating a script for automated cert renewal?
#18
peter.wickenberg
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/08/11 04:34:20
  • Status: offline
Re: Let's Encrypt and FortiGate 2019/03/22 02:23:08 (permalink)
0
I solved it by setting up a reverse proxy using Traefik and Letsencrypt to give me access to mgmt and SSL VPN through the proxy, that way I get automatically updated certificates for both services by bouncing it on the inside, can't say it's affecting performance either.
#19
absmith
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/11/29 11:18:39
  • Status: offline
Re: Let's Encrypt and FortiGate 2019/05/08 19:28:44 (permalink)
0
I'm working on a python script that will kick off after a certbot renewal and use the fortios API to upload the certificates and migrate the old certificate with the new one. I'll let you know how it goes. Also since now you can use DNS validation and get wild card certs you no longer have to use a public facing web server to do the certificate process, you just need internet access and API access to your DNS servers.
#20
Page: 12 > Showing page 1 of 2
Jump to:
© 2019 APG vNext Commercial Version 5.5