Technical Note: Certificate warning when connecting to SSLVPN from Linux devices

preznik_FTNT · ‎04-27-2017

Description

This article provides guidance for dealing with certificate warnings when connecting to SSLVPN from Linux devices.

Solution

FortiClient SSLVPN for Linux does not use default OS trust, but checks for trusted certificates in its own repository.

It is possible to add certificates to the FortiClient repository:

To create repository for FortiClient:

Create "/root/.fctsslvpn_trustca" directory (or in the home directory of the user running it) and copy to it all CA certificates (all intermediate and root CAs) in PEM format.

Alternatively, disable the server certificate check:

Set "invalid_peer_cert_action=0" in config to skip verification.
Config file is located in: $vpn_home/64bit/helper/config

A further method would be to link the Linux certificate store to the .fctsslvpn_trustca directory. For example:

ln -snf /etc/ssl/certs ~/.fctsslvpn_trustca

Actual command will depends on the Linux distributive. It should be noted that this method is provided "as is", and is not supported by Fortinet.

To disable certificate trust check completely, check "Do not warn about server certificate validation failure" on the FortiCLient GUI, or configure the via CLI.

Go to the FortiClient directory and then to the FortiClient version that corresponds to the OS.

For 64-bit systems it will be:

./forticlientsslvpn/64bit/helper

Edit the file called config and set the cert warning value to 0 as shown below:

loglevel=1
disable_openssl_renegotiation=0
invalid_peer_cert_action=0 <---- This will prevent the certificate warnings

Related Articles

Technical Note: How to avoid certificate error message by chaining Root CA and Intermediate CA certi...

Technical Note: Certificate warning when connecting to SSLVPN from Linux devices

You are leaving our website