IT people that have dealt with certificates know they can be a pain to manage. Keeping on top of certificate expiration dates and renewing each certificate in time is a challenge, there have been plenty of cases of large companies and organizations accidentally letting their certificates expire. And when certificates expire that causes problems. Websites get flagged as unsecure and browsers throw up warnings. Depending on what the expired certificate is being used for, it can cause even bigger problems. For example, look at this list of five major issues caused by expired certificates. Setting up certificates to renew automatically largely removes human error from the renewal process and makes things much easier. Version 7.0 of FortiOS for FortiGate firewalls adds support for a feature called Automated Certificate Management Environment (ACME), and this blog contains advice for setting that up to use Let's Encrypt certificates.
Let's Encrypt Certificate and FortiOS Version 7.0
If you aren't familiar with Let's Encrypt, they are a non-profit Certificate Authority that issues free certificates. The certificates they issue are good for 90 days. Their certificates being valid for only 90 days strongly encourages anyone using Let's Encrypt to set up an automated process for renewing them, and Let's Encrypt is set up to facilitate automated renewal.
That's where FortiOS 7.0 comes in. New versions of firmware add features all the time, but it's been a while since I've actually been excited for a new feature in a version upgrade. When I heard that FortiOS 7.0 let you set up auto-renewing Let's Encrypt certificates using ACME, I was excited, because this saves both time and money for our clients and makes things easier for us at iuvo Technologies.
Upgrading to FortiOS Version 7.0.1 and Setting Up Your FortiGate to Request a Let's Encrypt Certificate
(DO NOT upgrade to 7.0.2 - 7.0.1 is the current recommended version as of 12/9/21)
General wisdom on FortiOS upgrades is not to upgrade to .0 releases in production, so even though this new feature was added in the 7.0 release, I had been waiting for a point release before upgrading. After one of my coworkers rolled out FortiOS 7.0.1 in a new deployment without any issues, it was time to deploy it for an existing FortiGate. First, I had to upgrade FortiOS.
***Please note that there is a bug in FortiOS version 7.0.2 that causes issues with getting the correct type of Let's Encrypt certificate, so as of 12/9/21 it's recommended to upgrade FortiOS to 7.0.1. If there is a later firmware version than 7.0.2 out, make sure to confirm that this bug has been fixed before upgrading to it.***
With FortiGates it is very important to follow the recommended FortiOS upgrade path. In other words, do not upgrade directly to 7.0.1 unless that's the upgrade path advised. You will see an upgrade path within the FortiGate GUI (under System -> Firmware) and FortiGate has an Upgrade Path Tool Table website. I advise checking on the upgrade path from both the FortiGate itself and by using the upgrade path tool table website and following whichever one gives you a more detailed upgrade path. Again, do not skip versions of FortiOS, I have heard of that causing problems.
As with upgrading any firewall, always back up the configuration before upgrading. Obtain management approval and plan your upgrade for a time when it will not be disruptive. Make sure you are ready to restore the firewall's configuration if needed, which likely means you will need physical access to the FortiGate.
After you've upgraded to FortiOS 7.0.1, make sure your public DNS has the correct record matching the certificate you want from Let’s Encrypt, and the outside IP address (WAN) of the FortiGate firewall. After you are sure DNS is correct, check out FortiGate's official setup documentation on ACME certificate support and Let's Encrypt to get your certificate. I also found this handy blog by Matt Sherif that covers the process. Once you've verified that you meet the requirements listed, setting it up is a snap. Another very helpful general resource for Fortinet support is the FortiNet subreddit.
If you need further assistance with auto-renewal of the Let’s Encrypt certificate, please contact iuvo today!
Related Posts: