Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
YevheniiK
New Contributor

How to add remote server certificate to the Forticlient VPN 7.2 trusted store on Ubuntu 22.04?

Hello, 

 

I get a remote server certificate validation error when connecting to our VPN provider. I checked their certificate with https://www.sslshopper.com/ssl-checker.html#hostname=healthconnect.vpn.cloudgateway.co.uk, and it seems to be valid and issued by the GoDaddy

 

I linked Ubuntu's certificate storage as suggested in https://community.fortinet.com/t5/FortiClient/Technical-Note-Certificate-warning-when-connecting-to-... but to no luck, as you can see on the screenshot below. 

 

forticlient-linux-screenshot.png

 

This is with #forticlient vpn 7.2.2.0753 on Ubuntu 22.04

 

Any tips are appreciated! 

 

4 REPLIES 4
bpozdena_FTNT

Maybe try to add the intermediate CA certificate "Go Daddy Secure Certificate Authority - G2" info your Fortigate as it does not seem to be included in the FortiGuard bundle.

 

If that alone does not work, you can try to create a symlink to your system trust store. More details at https://community.fortinet.com/t5/FortiClient/Technical-Note-Certificate-warning-when-connecting-to-...

HTH,
Boris
YevheniiK

Hey @bpozdena_FTNT 

 

We are not using FortiGate - just FortiClient VPN to connect with our service provider.

 

I followed the steps in the article above, and as you can see on the screenshot

`.fctsslvpn_trustca`   is linked to the `/etc/ssl/certs`.

 

That article is from 2017. Does that solution still apply to the FortiClient VPN 7.2.2?

bpozdena_FTNT

I was trying to say that the Fortigate is not configured correctly. You can use OpenSSL client to validate that the SSLVPN server does not send the full trust chain.

 

openssl s_client -connect healthconnect.vpn.cloudgateway.co.uk:443

 

 

Solution:

1)Ask your service provider to import the intermediate CA certificate "Go Daddy Secure Certificate Authority - G2" into the Fortigate.

2)Then restart the SSLVPN daemons on the Fortigate with:

 

fnsysctl killall sslvpnd

 

 

The change should be done during maintenance window as it will briefly disconnect all SSL VPN users.

 

HTH,
Boris
YevheniiK

Thank you, I'll check on that with them. 

Interestingly, windows client doesn't complain about the certificate. 

 

Top Kudoed Authors