Instead of uploading CA certificate from your local directory, an easier way is to configure FortiWeb to obtain a CA certificate from Let's encrypt on behalf of you.
Before adding a Let's Encrypt CA certificate, you must:
- You must have enabled HTTP service and uses port 80, because the Certificate Authority sends HTTP requests to FortiWeb to validate the DNS CNAME record.
- You must have added "letsencrypt.org" in the CAA value if you have configured a CAA record at your DNS service. This allows Let's Encrypt to issue certificates for your domain name.
- You should not block requests from United States in IP Protection > Geo IP Block, otherwise FortiWeb can't retrieve certificates from Let's Encrypt.
- The server health check status should be OK. If not, you should first disable health check so that it won't interrupt certificate retrieval. After the certificate is successfully retrieved, you can go ahead enable health check and troubleshoot the server connection issue.
To use CA certificate issued by Let's Encrypt:
To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.
- Go to Server Objects > Certificates > Letsencrypt.
- Enter a name for this certificate.
- Enter the domain name of your application. FortiWeb will then retrieve the CA certificate for this domain from Let's encrypt.
- Click OK.
Retrieving the certificate
FortiWeb obtains an SSL certificate on your behalf from Let’s Encrypt and uses it for the HTTPS connections with the client to encrypt or decrypt the traffic. If FortiWeb fails to retrieve the certificate, it will try again every 2 hours on the first 3 days. After that, it downgrades the frequency to once a day, until the certificate is successfully retrieved.
You can also manually retrieve the certificate by clicking the Issue button. The certificate will be retrieved immediately.
Please note that Let's Encrypt only allows 5 times of certificate retrieval failure per hour for each hostname and account. If the following error message displays, it means you have retrieved the certificate too frequently.
"detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/"
Renewing the certificate
5 days before your certificate expires, FortiWeb renews your certificate for another 90 days, so it never expires.
To delete the certificate from FortiWeb, click the Revoke button.
After the certificate is successfully retrieved, you can refer it in the Server Policy settings.
In HA deployment, only active-passive mode supports Let's Encrypt certificate.