Fortinet black logo

Administration Guide

Let's Encrypt certificates

Instead of uploading CA certificate from your local directory, an easier way is to configure FortiWeb to obtain a CA certificate from Let's encrypt on behalf of you.

Before adding a Let's Encrypt CA certificate, you must:
  • You must have changed the DNS entry to map your domain name with FortiWeb's IP address.
  • You should not block requests from United States in IP Protection > Geo IP Block, otherwise FortiWeb can't retrieve certificates from Let's Encrypt.
To use CA certificate issued by Let's Encrypt:

To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.

  1. Go to Server Objects > Certificates > Letsencrypt.
  2. Enter a name for this certificate.
  3. Enter the domain name of your application. FortiWeb will then retrieve the CA certificate for this domain from Let's encrypt.
    For Let's encrypt certificate, it's supported to added add up to 11 domains. One of them should be root domain, while the rest 10 should all belong to the root domain.
    It's recommended to enter the root domain here, then add the rest domain items in the steps below.
  4. Set the Renew Period. It specifies how soon FortiWeb obtains the SSL certificate from Let’s Encrypt. The valid range is 1-60 days.
  5. Click OK.
  6. Click Create New.
  7. Enter domain names. Up to 10 items can be added and they all should belong to the same domain.
  8. Click OK.
  9. Repeat steps above to add more domains.
  10. Let's Encrypt sends HTTP requests to FortiWeb in order to validate the ownership of the domain names, so it's required that the port 80 is enabled. Perform the following:
    1. When in RP mode, make sure to select HTTP service when configuring server policy. "Redirect HTTP to HTTPS" should not be enabled when the validation is in process.
    2. When in TTP mode, the back-end server which uses Letsencrypt certificate should have port 80 enabled.
  11. Refer the letsencrypt certificate:
    1. When in RP mode, refer it in server policy (see Configuring a server policy), or refer it through an SNI (see Let's Encrypt certificates) in server policy.
    2. When in TTP mode, refer it in back-end server, or refer it through an SNI (see Let's Encrypt certificates) when adding a back-end server. The back-end server should be in the server pool which is referenced in the desired server policy.

FortiWeb obtains an SSL certificate on your behalf from Let’s Encrypt and uses it for the HTTPS connections with the client to encrypt or decrypt the traffic. If FortiWeb fails to obtain the certificate, it will try again every 2 hours until the certificate is successfully obtained.

You can also manually obtain the certificate by clicking the Issue button. FortiWeb will obtain the certificate immediately.
Please note that Let's Encrypt only allows 5 times of certificate obtaining failure per hour for each hostname and account. If the following error message displays, it means you have retrieved the certificate too frequently.

"type": "urn:ietf:params:acme:error:rateLimited",

"detail": "Error creating new order :: too many failed authorizations recently: see HTTPs://letsencrypt.org/docs/rate-limits/"

Renewing the letsencrypt certificate

5 days before your letsencrypt certificate expires, FortiWeb renews it for another 90 days, so it never expires.

To delete the certificate from FortiWeb, click the Revoke button.

After the certificate is successfully retrieved, you can refer it in the Server Policy settings.

In HA deployment, only active-passive mode supports Let's Encrypt certificate.

Instead of uploading CA certificate from your local directory, an easier way is to configure FortiWeb to obtain a CA certificate from Let's encrypt on behalf of you.

Before adding a Let's Encrypt CA certificate, you must:
  • You must have changed the DNS entry to map your domain name with FortiWeb's IP address.
  • You should not block requests from United States in IP Protection > Geo IP Block, otherwise FortiWeb can't retrieve certificates from Let's Encrypt.
To use CA certificate issued by Let's Encrypt:

To access this part of the web UI, your administrator's account access profile must have Read and Write permission to items in the Admin Users category. For details, see Permissions.

  1. Go to Server Objects > Certificates > Letsencrypt.
  2. Enter a name for this certificate.
  3. Enter the domain name of your application. FortiWeb will then retrieve the CA certificate for this domain from Let's encrypt.
    For Let's encrypt certificate, it's supported to added add up to 11 domains. One of them should be root domain, while the rest 10 should all belong to the root domain.
    It's recommended to enter the root domain here, then add the rest domain items in the steps below.
  4. Set the Renew Period. It specifies how soon FortiWeb obtains the SSL certificate from Let’s Encrypt. The valid range is 1-60 days.
  5. Click OK.
  6. Click Create New.
  7. Enter domain names. Up to 10 items can be added and they all should belong to the same domain.
  8. Click OK.
  9. Repeat steps above to add more domains.
  10. Let's Encrypt sends HTTP requests to FortiWeb in order to validate the ownership of the domain names, so it's required that the port 80 is enabled. Perform the following:
    1. When in RP mode, make sure to select HTTP service when configuring server policy. "Redirect HTTP to HTTPS" should not be enabled when the validation is in process.
    2. When in TTP mode, the back-end server which uses Letsencrypt certificate should have port 80 enabled.
  11. Refer the letsencrypt certificate:
    1. When in RP mode, refer it in server policy (see Configuring a server policy), or refer it through an SNI (see Let's Encrypt certificates) in server policy.
    2. When in TTP mode, refer it in back-end server, or refer it through an SNI (see Let's Encrypt certificates) when adding a back-end server. The back-end server should be in the server pool which is referenced in the desired server policy.

FortiWeb obtains an SSL certificate on your behalf from Let’s Encrypt and uses it for the HTTPS connections with the client to encrypt or decrypt the traffic. If FortiWeb fails to obtain the certificate, it will try again every 2 hours until the certificate is successfully obtained.

You can also manually obtain the certificate by clicking the Issue button. FortiWeb will obtain the certificate immediately.
Please note that Let's Encrypt only allows 5 times of certificate obtaining failure per hour for each hostname and account. If the following error message displays, it means you have retrieved the certificate too frequently.

"type": "urn:ietf:params:acme:error:rateLimited",

"detail": "Error creating new order :: too many failed authorizations recently: see HTTPs://letsencrypt.org/docs/rate-limits/"

Renewing the letsencrypt certificate

5 days before your letsencrypt certificate expires, FortiWeb renews it for another 90 days, so it never expires.

To delete the certificate from FortiWeb, click the Revoke button.

After the certificate is successfully retrieved, you can refer it in the Server Policy settings.

In HA deployment, only active-passive mode supports Let's Encrypt certificate.