Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
YevheniiK
New Contributor II

Created on ‎12-05-2023 04:03 AM

How to add remote server certificate to the Forticlient VPN 7.2 trusted store on Ubuntu 22.04?

Hello, 

 

I get a remote server certificate validation error when connecting to our VPN provider. I checked their certificate with https://www.sslshopper.com/ssl-checker.html#hostname=healthconnect.vpn.cloudgateway.co.uk, and it seems to be valid and issued by the GoDaddy

 

I linked Ubuntu's certificate storage as suggested in https://community.fortinet.com/t5/FortiClient/Technical-Note-Certificate-warning-when-connecting-to-... but to no luck, as you can see on the screenshot below. 

 

forticlient-linux-screenshot.png

 

This is with #forticlient vpn 7.2.2.0753 on Ubuntu 22.04

 

Any tips are appreciated! 

 

Labels:
1113
0 Kudos
4 REPLIES 4
bpozdena_FTNT
Staff
Staff

Created on ‎12-05-2023 05:40 AM

Maybe try to add the intermediate CA certificate "Go Daddy Secure Certificate Authority - G2" info your Fortigate as it does not seem to be included in the FortiGuard bundle.

 

If that alone does not work, you can try to create a symlink to your system trust store. More details at https://community.fortinet.com/t5/FortiClient/Technical-Note-Certificate-warning-when-connecting-to-...

HTH,
Boris
1095
YevheniiK
New Contributor II
In response to bpozdena_FTNT

Created on ‎12-05-2023 08:27 AM Edited on ‎12-05-2023 09:02 AM

Hey @bpozdena_FTNT 

 

We are not using FortiGate - just FortiClient VPN to connect with our service provider.

 

I followed the steps in the article above, and as you can see on the screenshot

`.fctsslvpn_trustca`   is linked to the `/etc/ssl/certs`.

 

That article is from 2017. Does that solution still apply to the FortiClient VPN 7.2.2?

1086
0 Kudos
bpozdena_FTNT
Staff
Staff
In response to YevheniiK

Created on ‎12-06-2023 02:30 AM Edited on ‎12-06-2023 02:33 AM

I was trying to say that the Fortigate is not configured correctly. You can use OpenSSL client to validate that the SSLVPN server does not send the full trust chain.

 

openssl s_client -connect healthconnect.vpn.cloudgateway.co.uk:443

 

 

Solution:

1)Ask your service provider to import the intermediate CA certificate "Go Daddy Secure Certificate Authority - G2" into the Fortigate.

2)Then restart the SSLVPN daemons on the Fortigate with:

 

fnsysctl killall sslvpnd

 

 

The change should be done during maintenance window as it will briefly disconnect all SSL VPN users.

 

HTH,
Boris
1068
YevheniiK
New Contributor II
In response to bpozdena_FTNT

Created on ‎12-06-2023 03:09 AM

Thank you, I'll check on that with them. 

Interestingly, windows client doesn't complain about the certificate. 

 

1060
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.