Let's Encrypt and FortiGate | Fortinet Technical Discussion Forums

Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB
Fuse
- Fuse Fortinet User Community

Mark Thread UnreadFlat Reading Mode ❐

Helpful ReplyHot!Let's Encrypt and FortiGate

Page: < 1 2 Showing page 2 of 2

Author Post Essentials Only Full Version
emnoc Expert Member Total Posts : 6055 Scores: 404 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Let's Encrypt and FortiGate 2019/05/09 09:00:01 (permalink) 0 Yes that true , it made it a lot easier with certificate and applying the certs for multiple objects. Ken Felix PCNSE NSE StrongSwan #21
absmith New Member Total Posts : 7 Scores: 0 Reward points: 0 Joined: 2016/11/29 11:18:39 Status: offline Re: Let's Encrypt and FortiGate 2019/07/01 10:19:17 (permalink) 0 So I have the functionality in the script to upload the certificate and private-key however, Fortigate functionality doesn't let you overwrite the current certificate, and even if it did you would have to remove and then re-add ssl functionality to the specific service if you are overwriting the certificate. Since this is the case, I'm going to also have to write functionality to change the certificates of rules, VPN portals, Virtual servers, either into the same script or into a separate script. Let me know if anyone is interested so far. post edited by absmith - 2019/07/01 10:21:08 #22
cookem New Member Total Posts : 2 Scores: 0 Reward points: 0 Joined: 2018/04/25 09:46:57 Status: offline Re: Let's Encrypt and FortiGate 2019/07/01 10:23:19 (permalink) 0 sounds cool....can I get a copy of what you have so far? #23
Keith Nelson New Member Total Posts : 1 Scores: 0 Reward points: 0 Joined: 2019/06/20 19:09:37 Status: offline Re: Let's Encrypt and FortiGate 2019/07/01 11:11:53 (permalink) 0 adam_smith@sundance.org So I have the functionality in the script to upload the certificate and private-key however, Fortigate functionality doesn't let you overwrite the current certificate, and even if it did you would have to remove and then re-add ssl functionality to the specific service if you are overwriting the certificate. Since this is the case, I'm going to also have to write functionality to change the certificates of rules, VPN portals, Virtual servers, either into the same script or into a separate script. Let me know if anyone is interested so far. I would be interested in the script. I have been trying to figure this out for awhile but im not much of a scripter. You would think this would be an API they would have given all the rage of DevOPs these days. #24
emnoc Expert Member Total Posts : 6055 Scores: 404 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Let's Encrypt and FortiGate 2019/07/01 13:25:13 (permalink) 0 1: upload the new cert and then change the useage to the new cert 2: delete the old certificate PCNSE NSE StrongSwan #25
absmith New Member Total Posts : 7 Scores: 0 Reward points: 0 Joined: 2016/11/29 11:18:39 Status: offline Re: Let's Encrypt and FortiGate 2019/07/18 11:30:01 (permalink) 0 there doesn't seem to be a way for me to put the file here but I am planning to put it up on github so that as it evolves people can get the latest versions. I also am planning on releasing it with an apache v2 license, so don't worry about changing it for your own purposes and any contributions/suggestions would help. Sorry for taking so long to post it. I was trying to add a config file functionality that is present in the code but is not fully working yet. However all the command line options all work. This is a python script and relies on fortiosapi so you will have to use that. It was written with python3 in mind so it may or may not be reverse compatible with python2. I actually think that it won't be reverse compatible because of the configuration file library I used changed the syntax for the library name when it moved over to python3. With that in mind here is what I have currently. I am also planning on making it compatible with pypi so you can just do a pip install, but that isn't all in place yet. I'll post the link as soon as I get it on github. #26
absmith New Member Total Posts : 7 Scores: 0 Reward points: 0 Joined: 2016/11/29 11:18:39 Status: offline Re: Let's Encrypt and FortiGate 2019/07/26 09:47:57 (permalink) 0 Here is the github-repo for the current version, it's still a bit early but it does work. The --help feature should give you all the parameters required. I'm trying to write it to have a config file as well so that you don't need to write the whole command every time, the beginning framework is there for this in the script but is not fully tested yet so I suggest using the cli commands. Also this works with either password or API-Key authentication. Let me know if things aren't working for you. https://github.com/absmith82/fortitools post edited by absmith - 2019/08/02 13:47:51 #27
lubyou Bronze Member Total Posts : 37 Scores: 4 Reward points: 0 Joined: 2011/01/05 00:57:21 Status: offline Re: Let's Encrypt and FortiGate 2019/09/22 04:20:05 (permalink) 0 Fortinet could just add support for LetsEncrypt into FortiOS, the ACME protocol is open source and anybody can write a client for it. Apart from that, Fortinet already uses python in FortiOS, they could use certbot... #28
absmith New Member Total Posts : 7 Scores: 0 Reward points: 0 Joined: 2016/11/29 11:18:39 Status: offline Re: Let's Encrypt and FortiGate 2019/09/23 14:28:46 (permalink) 0 I agree that would be ideal, however, that isn't currently the case, and as far as I can tell fortios doesn't allow you to access the python shell/ecosystem so in the meantime we have to work with the tools they allow us to. #29
nbctcp Silver Member Total Posts : 101 Scores: 4 Reward points: 0 Joined: 2015/03/05 04:48:26 Location: Indonesia Status: offline Re: Let's Encrypt and FortiGate 2019/12/03 23:39:42 (permalink) 0 https://www.loggly.com/blog/benchmarking-5-popular-load-balancers-nginx-haproxy-envoy-traefik-and-alb/ comparing traefik with others I never try your idea. I believe it will work with GUI but how about SSL VPN. Have you tried? I like your idea because I can use cron to renew every 90d * /8 * * certbot renew --post-hook "systemctl reload nginx" I don't know which way is better and easier. 1. using reverse proxy 2. create a script like emnoc said 3. update cert using this method https://kb.fortinet.com/kb/documentLink.do?externalID=FD35074 4. https://github.com/absmith82/fortitools tq peter.wickenberg I solved it by setting up a reverse proxy using Traefik and Letsencrypt to give me access to mgmt and SSL VPN through the proxy, that way I get automatically updated certificates for both services by bouncing it on the inside, can't say it's affecting performance either. http://goo.gl/lhQjmU http://nbctcp.wordpress.com #30
Ebuic New Member Total Posts : 1 Scores: 0 Reward points: 0 Joined: 2019/12/06 07:19:29 Status: offline Re: Let's Encrypt and FortiGate 2019/12/06 07:35:07 (permalink) 0 If anyone is still looking or in need for the Letsencrypt solution for fortigate here is a working process ( was testing it for the past few weeks ) A linux VM ( CentOS 7 or 8 ) for the certbot installation and the scripts downloaded from here ( https://github.com/gdoornenbal/dehydrated-certificate-installers ) not my repository, just sharing some great work. also if you have a hosting that is usping Cpanel, you can download this plugin so you don't need to add/remove TXT entry every time you need to issue or renew a certificate ( https://github.com/badjware/certbot-dns-cpanel ) there are also plugins for cloudflare ( https://github.com/certbot/certbot/tree/master/certbot-dns-cloudflare ) as a side note, you can split the shell script in 2 parts, one for the HTTP acces the other for the VPN, if you do so, you will need to edit this part of the script: set livecertdate [exec echo \| openssl s_client -showcerts -connect $host:$sslport 2>/dev/null \| openssl x509 -noout -enddate \| cut -d = -f 2 ] into this set livecertdate [exec echo \| openssl s_client -showcerts -connect $host:$sslport 2>/dev/null \| openssl x509 -enddate -nooout -in cert.pem \| cut -d = -f 2 ] when everything is ready, just setup the cronjob for the renews and you're done. as a bonus and extra precaution you can install the cockpit package for web access to the VM and a 2FA via google authentificator whick you can setup for both SSH and cockpit access. if someone needs help or a better clarification, just drop me a PM #31
absmith New Member Total Posts : 7 Scores: 0 Reward points: 0 Joined: 2016/11/29 11:18:39 Status: offline Re: Let's Encrypt and FortiGate 2020/05/15 21:19:16 (permalink) 0 update for https://github.com/absmith82/fortitools This now includes a python script for changing the certs in SSLVPN, AdminUI, User authentication?, and VIP/VIP6 (virtual servers). still needs work on deleting old certs. but can be put in post deploy scripts to upload to fortigates. #32
NeilG Silver Member Total Posts : 99 Scores: 4 Reward points: 0 Joined: 2014/03/04 11:00:39 Status: offline Re: Let's Encrypt and FortiGate 2021/03/11 18:05:02 (permalink) 0 I wonder if the Fortigate could use an Automation/Stitch to self-renew the Lets Encrypt cert every 50 days or so... #33
emnoc Expert Member Total Posts : 6055 Scores: 404 Reward points: 0 Joined: 2008/03/20 13:30:33 Location: AUSTIN TX AREA Status: offline Re: Let's Encrypt and FortiGate 2021/03/11 21:50:52 (permalink) 0 That would be cool but you gave me an ideal, maybe you could craft the cert and uploaded it via the API. Just use the same key when you make the new CSR. Ken Felix PCNSE NSE StrongSwan #34
NeilG Silver Member Total Posts : 99 Scores: 4 Reward points: 0 Joined: 2014/03/04 11:00:39 Status: offline Re: Let's Encrypt and FortiGate 2021/03/12 12:49:59 (permalink) 0 It looks like Stitch/Automation supports AWS Lamba or Azure Functions as actions with time based trigger .. so if I read that right then could have a Stitch call an Azure Function every X days that renews the cert file, then validates the file. What I don't know is if the Azure Function or AWS Lamba coud return the cert through directly or if it would have to place the cert file in a location. Optimally, once the Stitch that calls the AzFunction/AWSLamba finishes another "Action" would run that runs a Cli_Script on the fortigate that would then import the renewed Let's encrypt cert, then update the firewall SSL cert + SSLVPN cert + etc AND would log success/failure into the system event logs // Edit ..it looks like you would need to use the generic Webhook action to get results if your goal was to have the firewall "pull" everything (vs. having the AzFunction/AWSLamba "push" into your firewall from the public cloud using firewall API calls) So far the real problem I see is that the info on "Chaining Stitches" is missing, the section on it only talks about delays. https://docs.fortinet.com/document/fortigate/latest/administration-guide/137181/chaining-and-delaying-actions // Edit BTW - here are some quick results for starting points on AzFunction or AWSLambda GitHub - MarcStan/lets-encrypt-azure: Azure function based Let's Encrypt automation for Azure CDN & app services Let's Encrypt SSL Certificate to Azure Functions - Microsoft Tech Community Free SSL certificates with Certbot in AWS Lambda - Vittorio Nardone post edited by NeilG - 2021/03/12 13:02:29 #35
TecnetRuss Bronze Member Total Posts : 45 Scores: 14 Reward points: 0 Joined: 2017/02/27 13:14:44 Status: offline Re: Let's Encrypt and FortiGate 2021/04/05 13:39:01 (permalink) 0 Just updating this thread to mention that ACME/LetsEncrypt functionality is now built into FortiOS 7.0. New Features \| FortiGate / FortiOS 7.0.0 \| Fortinet Documentation Library Russ NSE7 #36
LiuKangming_FTNT New Member Total Posts : 1 Scores: 0 Reward points: 0 Joined: 2018/09/17 18:55:22 Status: offline Re: Let's Encrypt and FortiGate 2021/04/07 12:00:21 (permalink) 0 V7.0 already supports "Let's Encrypt", you can try it. https://docs.fortinet.com/document/fortigate/7.0.0/new-features/822087/acme-certificate-support #37

Page: < 1 2 Showing page 2 of 2

Jump to:

© 2021 APG vNext Commercial Version 5.5