Let's Encrypt Cert Renewal Behind Spectrum Router

I have a Fortigate firewall with a static public IP address. Unfortunately, this static IP address is provided by Spectrum. This site is using Spectrum’s coax network, so to be able to use my Static IP I have to connect my Fortigate firewall to their router.

I was able to get the initial certificate issued by Let’s Encrypt on the Foritgate, after port forwarding some ports from the Spectrum router to the Fortigate. Unfortunately, the renewal process is not succeeding. I’ve been trying to find what’s different about the automatic renewal process compared to when I initially request the cert but have been unable to find what’s different about them.

If anyone knows what ports I need to forward or where to find the Let’s Encrypt documentation on the renewal process I would appreciate it.

Depends on the request method. How did you originally request a cert? HTTP, DNS or did you use cloudflare API or a different API?

In general, though, you should be able to connect your Fortigate to the Spectrum Modem and get your public IP directly on the Fortigate (if it’s a business account and you have multiple static usable IPs, the Modem itself becomes the Gateway…if you’re not set up like that, at least in bridged mode…) without having to do Port Forwarding on the router side of the Spectrum device. If you’re double-NATted this is the least of your concerns…

I tried to just use the Modem without their router, but then I can’t use the static IPs. I called Spectrum they reset the modem and still didn’t work and then they sent a worker out and said that we had to have the router to get the static IPs. (Also had to have the router reset a couple of times to get it to work correctly)

The router is in some sort of bridge mode, the Fortigate firewall sees that it’s IP address is the public IP address that I want it to have, but certain things don’t seem to get passed through to the Fortigate correctly. I also had to port forward the SSLVPN I have setup even though on the Spectrum router itself says that it passes all that traffic along anyways.

I used the ACME option built directly into the Fortigate. I believe this uses DNS to validate as I had to add the subdomain to our websites DNS record.

Hmmmm, that’s odd. I’d maybe nail Spectrum on that a bit. I’ve done that exact configuration for standalone firewalls to get their own full public IP as sold by Spectrum and had everything fully pass, no issues. Is the Forgitate DHCPing that IP from Spectrum or do you have it nailed-up in the Fortigate?

Regardless, it seems if 80 and 443 are open, Let’s Encrypt should be able to get in to renew…

I checked and did not have port 443 forwarded to the Fortigate. I have now forwarded that port as well. I reissued the cert from the Fortigate before I made that change so I will need to wait a month to see if it fixed it.

That sounds more like the https(TLS-01) challenge - your DNS needs to point to the service which has port forwards to expose port 443 to the internet.

The DNS-01 acme challenge uses the API of a supported DNS provider to validate the certificate. It doesn’t require your DNS to be pointed at your service or any port forwards on your firewall (but you can if it is a service you want to expose to the internet.)

I prefer to use the DNS-01 method these days. You can also use it to provide a letsencrypt cert for services on your internal network. Your DNS provider and your ACME client need to both support the DNS-01 challenge method.

You are correct it was not a DNS challenge. I found some more Fortinet documentation and was able to find what kind of challenge it was using.