Technical Note: Certificate warning when connecting to SSLVPN from Linux devices
Products
FortiClient Lite
FortiGate v5.2
FortiGate v5.4
FortiGate v5.6
Description
This article provides guidance for dealing with certificate warnings when connecting to SSLVPN from Linux devices.


Solution
FortiClient SSLVPN for Linux does not use default OS trust, but checks for trusted certificates in its own repository.

It is possible to add certificates to the FortiClient repository:

To create repository for FortiClient:
Create "/root/.fctsslvpn_trustca" directory (or in the home directory of the user running it) and copy to it all CA certificates (all intermediate and root CAs) in PEM format.

Alternatively, disable the server certificate check:
Set "invalid_peer_cert_action=0" in config to skip verification.
Config file is located in: $vpn_home/64bit/helper/config

A further method would be to link the Linux certificate store to the .fctsslvpn_trustca directory.  For example:
ln -snf /etc/ssl/certs ~/.fctsslvpn_trustca

Actual command will depends on the Linux distributive. It should be noted that this method is provided "as is", and is not supported by Fortinet.

To disable certificate trust  check  completely, check "Do not warn about server certificate validation failure" on the FortiCLient GUI, or configure the  via CLI.

Go to the FortiClient directory and then to the FortiClient version that corresponds to the OS.

For 64-bit systems it will be:
./forticlientsslvpn/64bit/helper

Edit the file called config and set the cert warning value to 0 as shown below:
loglevel=1
disable_openssl_renegotiation=0
invalid_peer_cert_action=0    <---- This will prevent the certificate warnings
Related Articles
Technical Note: How to avoid certificate error message by chaining Root CA and Intermediate CA certificates on FortiGate
Last Modified Date: 04-28-2017 Document ID: FD40440