Description
Solution
This article provides guidance for dealing with certificate warnings when connecting to SSLVPN from Linux devices.
Solution
FortiClient SSLVPN for
Linux does not use default OS trust, but checks for trusted certificates
in its own repository.
It is possible to add certificates to the FortiClient repository:
To create repository for FortiClient:
Alternatively, disable the server certificate check:
A further method would be to link the Linux certificate store to the .fctsslvpn_trustca directory. For example:
Actual command will depends on the Linux distributive. It should be noted that this method is provided "as is", and is not supported by Fortinet.
To disable certificate trust check completely, check "Do not warn about server certificate validation failure" on the FortiCLient GUI, or configure the via CLI.
Go to the FortiClient directory and then to the FortiClient version that corresponds to the OS.
For 64-bit systems it will be:
Edit the file called config and set the cert warning value to 0 as shown below:
It is possible to add certificates to the FortiClient repository:
To create repository for FortiClient:
Create "/root/.fctsslvpn_trustca" directory (or in the home directory of the user running it) and copy to it all CA certificates (all intermediate and root CAs) in PEM format.
Alternatively, disable the server certificate check:
Set "invalid_peer_cert_action=0" in config to skip verification.
Config file is located in: $vpn_home/64bit/helper/config
A further method would be to link the Linux certificate store to the .fctsslvpn_trustca directory. For example:
ln -snf /etc/ssl/certs ~/.fctsslvpn_trustca
Actual command will depends on the Linux distributive. It should be noted that this method is provided "as is", and is not supported by Fortinet.
To disable certificate trust check completely, check "Do not warn about server certificate validation failure" on the FortiCLient GUI, or configure the via CLI.
Go to the FortiClient directory and then to the FortiClient version that corresponds to the OS.
For 64-bit systems it will be:
./forticlientsslvpn/64bit/helper
Edit the file called config and set the cert warning value to 0 as shown below:
loglevel=1
disable_openssl_renegotiation=0
invalid_peer_cert_action=0 <---- This will prevent the certificate warnings
Related Articles