- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to add remote server certificate to the Forticlient VPN 7.2 trusted store on Ubuntu 22.04?
Hello,
I get a remote server certificate validation error when connecting to our VPN provider. I checked their certificate with https://www.sslshopper.com/ssl-checker.html#hostname=healthconnect.vpn.cloudgateway.co.uk, and it seems to be valid and issued by the GoDaddy
I linked Ubuntu's certificate storage as suggested in https://community.fortinet.com/t5/FortiClient/Technical-Note-Certificate-warning-when-connecting-to-... but to no luck, as you can see on the screenshot below.
This is with #forticlient vpn 7.2.2.0753 on Ubuntu 22.04
Any tips are appreciated!
Solved! Go to Solution.
- Labels:
-
FortiClient
Created on 12-06-2023 02:30 AM Edited on 12-06-2023 02:33 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was trying to say that the Fortigate is not configured correctly. You can use OpenSSL client to validate that the SSLVPN server does not send the full trust chain.
openssl s_client -connect healthconnect.vpn.cloudgateway.co.uk:443
Solution:
1)Ask your service provider to import the intermediate CA certificate "Go Daddy Secure Certificate Authority - G2" into the Fortigate.
2)Then restart the SSLVPN daemons on the Fortigate with:
fnsysctl killall sslvpnd
The change should be done during maintenance window as it will briefly disconnect all SSL VPN users.
Boris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe try to add the intermediate CA certificate "Go Daddy Secure Certificate Authority - G2" info your Fortigate as it does not seem to be included in the FortiGuard bundle.
If that alone does not work, you can try to create a symlink to your system trust store. More details at https://community.fortinet.com/t5/FortiClient/Technical-Note-Certificate-warning-when-connecting-to-...
Boris
Created on 12-05-2023 08:27 AM Edited on 12-05-2023 09:02 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @bpozdena_FTNT
We are not using FortiGate - just FortiClient VPN to connect with our service provider.
I followed the steps in the article above, and as you can see on the screenshot
`.fctsslvpn_trustca` is linked to the `/etc/ssl/certs`.
That article is from 2017. Does that solution still apply to the FortiClient VPN 7.2.2?
Created on 12-06-2023 02:30 AM Edited on 12-06-2023 02:33 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was trying to say that the Fortigate is not configured correctly. You can use OpenSSL client to validate that the SSLVPN server does not send the full trust chain.
openssl s_client -connect healthconnect.vpn.cloudgateway.co.uk:443
Solution:
1)Ask your service provider to import the intermediate CA certificate "Go Daddy Secure Certificate Authority - G2" into the Fortigate.
2)Then restart the SSLVPN daemons on the Fortigate with:
fnsysctl killall sslvpnd
The change should be done during maintenance window as it will briefly disconnect all SSL VPN users.
Boris
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, I'll check on that with them.
Interestingly, windows client doesn't complain about the certificate.