FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
preznik_FTNT
Staff
Staff
Article Id 197402
Description
This article provides guidance for dealing with certificate warnings when connecting to SSLVPN from Linux devices.



Solution
FortiClient SSLVPN for Linux does not use default OS trust, but checks for trusted certificates in its own repository.

It is possible to add certificates to the FortiClient repository:

To create repository for FortiClient:
Create "/root/.fctsslvpn_trustca" directory (or in the home directory of the user running it) and copy to it all CA certificates (all intermediate and root CAs) in PEM format.

Alternatively, disable the server certificate check:
Set "invalid_peer_cert_action=0" in config to skip verification.
Config file is located in: $vpn_home/64bit/helper/config

A further method would be to link the Linux certificate store to the .fctsslvpn_trustca directory.  For example:
ln -snf /etc/ssl/certs ~/.fctsslvpn_trustca

Actual command will depends on the Linux distributive. It should be noted that this method is provided "as is", and is not supported by Fortinet.

To disable certificate trust  check  completely, check "Do not warn about server certificate validation failure" on the FortiCLient GUI, or configure the  via CLI.

Go to the FortiClient directory and then to the FortiClient version that corresponds to the OS.

For 64-bit systems it will be:
./forticlientsslvpn/64bit/helper

Edit the file called config and set the cert warning value to 0 as shown below:
loglevel=1
disable_openssl_renegotiation=0
invalid_peer_cert_action=0    <---- This will prevent the certificate warnings

Related Articles

Technical Note: How to avoid certificate error message by chaining Root CA and Intermediate CA certi...

Contributors