Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yetopen
New Contributor

Unable to bypass expired certificate on macOS

Hi.

Upgraded to the latest available release for macOS (7.0.7.0245), but we're still unable to bypass expired certificate error.

Apparently, this is not an issue with Linux and Windows clients.

Is it possible to bypass it on macOS too?

thanks

 

 

 

20221219 09:32:59 [VPN:INFO] PacketTunnelProvider.swift:32 VPN provider: 0245
20221219 09:32:59 [VPN:INFO] PacketTunnelProvider.swift:38 Start tunnel.
20221219 09:32:59 [VPN:INFO] SSLVPNTunnel.swift:571 Tunnel connection state: CONNECTING
20221219 09:32:59 [VPN:DEBG] SSLVPNTunnel.swift:586 On has better path change
20221219 09:32:59 [VPN:DEBG] SSLVPNTunnel.swift:594 No better path
20221219 09:32:59 [VPN:EROR] SSLVPNTunnel.swift:36 Failed to bypass certificate. error : Error Domain=NSOSStatusErrorDomain Code=-67818 "“*.vpn.domain.it” certificate is expired" UserInfo={NSLocalizedDescription=“*.vpn.domain.it” certificate is expired, NSUnderlyingError=0x6000036ecfc0 {Error Domain=NSOSStatusErrorDomain Code=-67818 "Certificate 0 “*.vpn.domain.it” has errors: Certificate is not temporally valid;" UserInfo={NSLocalizedDescription=Certificate 0 “*.vpn.domain.it” has errors: Certificate is not temporally valid;}}}
20221219 09:32:59 [VPN:INFO] SSLVPNTunnel.swift:561 Tunnel connection state: CANCELLED
20221219 09:32:59 [VPN:EROR] SSLVPNTunnel.swift:457 Closed while starting, with error: certificateError

 

 

 

 

4 REPLIES 4
funkylicious
Contributor III

Hi,

Have you tried installing the certificate in Keychain and mark it as trusted ?

geek
geek
yetopen

Tried now: added to the macOS KeyChain, set it as trusted, restarted FortiClient VPN, but same error.

yetopen
New Contributor

I found an open source alternative to the official FortiClient which works, and can accept the expired certificate:

 

https://github.com/adrienverge/openfortivpn

Markus_M
Staff
Staff

Hi yetopen,

 

the only(!) valid solution to this problem is to replace the expired certificate.

Your VPN server (FortiGate) has that certificate and it expired. This has to be replaced. This is normal for certificates and a security measure.

If the certificate is expired, your client (or any others), do not connect as they refuse the connection and that should be expected.

A very temporary solution to this, if you really need to connect a single time to exchange the certificate, is to change your clients system time to before the date that it expired to.

If not sure where to read it - connect via browser to the same FQDN. You will also receive a warning. Bypass the certificate warning as much as possible and see the date of expiry. Change your MAC OS system time to before that date. Then you should be able to connect.

Best regards,

 

Markus

Labels
Top Kudoed Authors