Hello,
I get a remote server certificate validation error when connecting to our VPN provider. I checked their certificate with https://www.sslshopper.com/ssl-checker.html#hostname=healthconnect.vpn.cloudgateway.co.uk, and it seems to be valid and issued by the GoDaddy
I linked Ubuntu's certificate storage as suggested in https://community.fortinet.com/t5/FortiClient/Technical-Note-Certificate-warning-when-connecting-to-... but to no luck, as you can see on the screenshot below.
This is with #forticlient vpn 7.2.2.0753 on Ubuntu 22.04
Any tips are appreciated!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 12-06-2023 02:30 AM Edited on 12-06-2023 02:33 AM
I was trying to say that the Fortigate is not configured correctly. You can use OpenSSL client to validate that the SSLVPN server does not send the full trust chain.
openssl s_client -connect healthconnect.vpn.cloudgateway.co.uk:443
Solution:
1)Ask your service provider to import the intermediate CA certificate "Go Daddy Secure Certificate Authority - G2" into the Fortigate.
2)Then restart the SSLVPN daemons on the Fortigate with:
fnsysctl killall sslvpnd
The change should be done during maintenance window as it will briefly disconnect all SSL VPN users.
Maybe try to add the intermediate CA certificate "Go Daddy Secure Certificate Authority - G2" info your Fortigate as it does not seem to be included in the FortiGuard bundle.
If that alone does not work, you can try to create a symlink to your system trust store. More details at https://community.fortinet.com/t5/FortiClient/Technical-Note-Certificate-warning-when-connecting-to-...
Created on 12-05-2023 08:27 AM Edited on 12-05-2023 09:02 AM
Hey @bpozdena_FTNT
We are not using FortiGate - just FortiClient VPN to connect with our service provider.
I followed the steps in the article above, and as you can see on the screenshot
`.fctsslvpn_trustca` is linked to the `/etc/ssl/certs`.
That article is from 2017. Does that solution still apply to the FortiClient VPN 7.2.2?
Created on 12-06-2023 02:30 AM Edited on 12-06-2023 02:33 AM
I was trying to say that the Fortigate is not configured correctly. You can use OpenSSL client to validate that the SSLVPN server does not send the full trust chain.
openssl s_client -connect healthconnect.vpn.cloudgateway.co.uk:443
Solution:
1)Ask your service provider to import the intermediate CA certificate "Go Daddy Secure Certificate Authority - G2" into the Fortigate.
2)Then restart the SSLVPN daemons on the Fortigate with:
fnsysctl killall sslvpnd
The change should be done during maintenance window as it will briefly disconnect all SSL VPN users.
Thank you, I'll check on that with them.
Interestingly, windows client doesn't complain about the certificate.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.