Description | This article describes how to force FortiGate to fall back to port 80 for the ACME certification assignment. |
Scope | Having a VIP on TCP port 443 and using the same public IP as the one to which the ACME certificate domain is resolved to. |
Solution |
By default, when using ACME, the challenge is sent via TCP port 443. If a VIP is in use on this port, then the incoming ACME challenge will be processed by the VIP rather than the system/ACME daemon and therefore the process will fail. This problem can produce debug outputs such as the following error: Cannot negotiate ALPN protocol "acme-tls/1" for tls-alpn-01 challenge
However, if TCP port 443 is in use by a process on the FortiGate (e.g., HTTPS daemon, SSL VPN daemon, etc.), the ACME daemon will fall back to port 80 for the challenge. One way to achieve this with minimal impact is to set the FortiGate’s system telnet port to 443 as telnet is not typically used by administrators. This can be configured by navigating to System -> Settings in the GUI:
Make sure that telnet is not allowed on any interface of the FortiGate for administration unless it is desired. Note that:
To achieve this configuration using the CLI:
config system global set admin-telnet enable set admin-telnet-port 443 end |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.