DescriptionThis article provides guidance for dealing with certificate warnings when connecting to SSLVPN from Linux devices.
SolutionFortiClient SSLVPN for
Linux does not use default OS trust, but checks for trusted certificates
in its own repository.
It is possible to add
certificates to the FortiClient repository:
To create
repository for
FortiClient:
Create "/root/.fctsslvpn_trustca" directory (or
in the home directory of the user running it) and copy to it all CA
certificates (all intermediate and root CAs) in PEM
format.
Alternatively, disable the server certificate
check:
Set "invalid_peer_cert_action=0" in config to
skip verification.
Config file is located in:
$vpn_home/64bit/helper/config
A further method would be to link the
Linux certificate store to the .fctsslvpn_trustca directory.
For example:
ln -snf
/etc/ssl/certs
~/.fctsslvpn_trustca
Actual command will depends on the
Linux distributive. It should be noted that this method is provided "as
is", and is not supported by Fortinet.
To disable
certificate trust check completely, check "Do not
warn about server certificate validation failure" on the FortiCLient
GUI, or configure the via CLI.
Go to the
FortiClient directory and then to the FortiClient version that
corresponds to the OS.
For 64-bit systems it will
be:
./forticlientsslvpn/64bit/helper
Edit the file called config and set
the cert warning value to 0 as shown
below:
loglevel=1
disable_openssl_renegotiation=0
invalid_peer_cert_action=0
<---- This will prevent the certificate
warnings
Related Articles
Technical Note: How to avoid certificate error message by chaining Root CA and Intermediate CA certi...