doesnt connect with certificate

Union union.kjesi at gmail.com
Mon Dec 18 12:22:28 PST 2017


Hello

First of all, thanks for extremely quick reply from your side.

Short story:
The issue was in missing CA certificate.

Long story:

1. I was cloning openconnect  from
git://git.infradead.org/users/dwmw2/openconnect.git (published at
http://www.infradead.org/openconnect/download.html).

2. I´ve got the CA certificate (in DER ) and put it in
/etc/ca-certificates/trust-source/anchors/.
Run "trust extract-compat. This added the certificate into the /etc/ssl/certs.
(above folders are relevant for arch linux)

3. VPN connection was then successfully established.

Thanks for the inputs.
Take care.


On 12/1/17, David Woodhouse <dwmw2 at infradead.org> wrote:
> On Fri, 2017-12-01 at 12:58 +0100, Union wrote:
>>
>> In the past I could successfully connect with the pfx certificate to
>> the ASA server with openconnect.
>>
>> But last couple of weeks this doesn't work anymore. It seems
>> connection is established, but at the end, it just throw out the login
>> entry (more details in the attachment).
>
> I take it the certificate hasn't expired?
>
> The primary version of OpenConnect isn't on github, btw.  I'm not sure
> which one you're looking at, but it shouldn't make much difference;
> this hasn't changed for a while.
>
> One possibility is that you aren't sending the full trust chain for the
> certificate. Given that your client is complaining about an "untrusted"
> certificate on the server, that looks like you don't have your
> corporate SSL CA installed correctly.
>
> OpenConnect will include all indermediate CAs in its request on the
> wire, if it can find them.... but in your case it won't. Sometimes, the
> server admins forget to install the intermediate CAs. And sometimes,
> ancient OpenSSL bugs mean that the ASA attempts to use the *wrong*
> intermediate CA.



More information about the openconnect-devel mailing list