terraform-provider-fortios icon indicating copy to clipboard operation
terraform-provider-fortios copied to clipboard

Published 20 hours ago verified publisher icon fortinetdev

Create Let's encrypt certificates

Open ichasco-heytrade opened this issue 3 years ago • 5 comments

Hi, Is there any way to create Let's encrypt certificates?

I didn't see it in the documentation.

Thanks!

ichasco-heytrade avatar Nov 30 '21 12:11 ichasco-heytrade

Hi @ichasco-heytrade,

Thank you for raising this issue. Here are documentation links that related to Let's encrypt: https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/822087/acme-certificate-support https://docs.fortinet.com/document/fortigate/7.0.2/administration-guide/825073/procuring-and-importing-a-signed-ssl-certificate

Please let me know if you have any questions.

Thanks, Xing

lix-fortinet avatar Dec 16 '21 00:12 lix-fortinet

i think, it is how to create with terraform ?!

alagoutte avatar Dec 16 '21 20:12 alagoutte

Yes, my question is related with terraform :)

ichasco-heytrade avatar Dec 17 '21 08:12 ichasco-heytrade

Hi @ichasco-heytrade,

Sorry for the late response, and Happy New Year! The corresponded API is api/v2/monitor/vpn-certificate/local/import. This API is a monitor API, and we do not have resources for monitor APIs. We usually recommend user using generic resource for monitor APIs. But there are some issues to create Let's encrypt certificate using this API. We have created an internal ticket for this issue, and will work with REST API team to find out a solution.

Before that, you could use resource fortios_system_autoscript to implement it based on CLI configuration. For example:

resource "fortios_system_autoscript" "auto" {
  interval    = 1
  name        = "myscript"
  output_size = 10
  repeat      = 1
  script      = <<EOF
config global
  config system acme
      set interface port6
  end
  config certificate local
    edit acme-test
        set enroll-protocol acme2
        set acme-domain test.ftntlab.de
        set acme-email [email protected]
    next
    y
  end
end
EOF
  start       = "auto"
}

Please let me know if you have any questions.

Thanks, Xing

lix-fortinet avatar Jan 11 '22 01:01 lix-fortinet

Hi, thanks. I could do it with:

resource "fortios_system_autoscript" "auto" {
  interval    = 1
  name        = "myscript"
  output_size = 10
  repeat      = 1
  script      = <<EOF
config system acme
    set interface "port1"
end
config vpn certificate local
edit vpn.example.com
    set enroll-protocol acme2
    set acme-domain vpn.example.com
    set acme-email [email protected]
next
y
end
EOF
  start       = "auto"
}

The problem I get now, is that the certificate, is not valid. (Forti has validated it, but the browser tells me that is an insecure certificate)

ichasco-heytrade avatar Jan 11 '22 11:01 ichasco-heytrade