Linux – Certificate validation failure while using cisco anyconnect with pfx certificates

certificatecisco-vpn-clientlinuxlinux-mintvpn

I have installed cisco anyconnect secure mobile client 4.2.01022 (+all required packages).

Then added .pfx certificates to gnone2-key storage.

Then I launched cisco anyconnect secure mobile client typed where to connect – but cisco keep saying me that Certificate validation failure

Tried this:

sudo cp /etc/ssl/certs/Global* /opt/.cisco/certificates/ca

link was created but didn't help. How to connect?

UPD:

This way I have extracted some certificates in different formats:

openssl pkcs12 -in store.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in store.pfx -nocerts -nodes  -out domain.key
openssl pkcs12 -in store.pfx -out domain.crt -nodes -nokeys -cacerts
openssl pkcs12 -in  store.pfx  -nocerts -out domain.pem -nodes

Got 4 files:

domain.cer
domain.key
domain.crt
domain.pem

Placed all 4 of them in 3 different places:

~/.cisco/certificates/ca ~

Trusted CA and root certificates

~/.cisco/certificates/client

Client certificates

~/.cisco/certificates/client/private

Private keys

Same error.

UPD2: Tried to configure cisco anyconnect compatible with openconnect (which integrated to linux network center):
It asks to set:

CA certificate (it has to be domain.crt, so chosen it)
User certificate  (that is it? - didnt choose)
Private key  (I think its domain.key, so chosen it)

But if tries to connect:

Certificate from VPN server [host ip] failed verification.
Reason: certificate does not match hostname
Do you want to accept it?

    Certificate from VPN server "194.176.96.4" failed verification.
    Reason: certificate does not match hostname
    Do you want to accept it?

With below info:
X.509 Certificate Information:
    Version: 3
    Serial Number (hex): ****
    Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=GeoTrust RSA CA 2018
    Validity:
       Not Before: **
        Not After: **
    Subject: C=RU,ST=[city],L=[city],O=[company name],OU=IT,CN=vpn.[companyname].ru
    Subject Public Key Algorithm: RSA
    Algorithm Security Level: Medium (2048 bits)
....

I accept – and same error Certificate validation failure, full log:

POST https://[host_name]/
Attempting to connect to server [host_name]:443
SSL negotiation with [host_name]
Server certificate verify failed: certificate does not match hostname
Connected to HTTPS on [host_name]
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 26 Aug 2018 08:43:32 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
Server requested SSL client certificate; none was configured
POST https://[host_name]/
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 26 Aug 2018 08:43:32 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled

PS: On windows same steps worked, added cert by double clicking then launched cisco client, typed server, then he asked password to server I quess – and then I was connected.

Best Answer

AnyConnect supports PEM format client certificates for authentication. Check administrator guide on how to configure client certificates for Linux platform. Copy the client certificate to the folder ~/.cisco/certificates/client and the private key to ~/.cisco/certificates/client/private. Also -

All certificate files must end with the extension .pem.
All private key files must end with the extension .key.
A client certificate and its corresponding private key must have the same filename. For example: client.pem and client.key.

The answer to your question:

AnyConnect checks various locations for certificate files, including those used by web browsers.

What complicates the issue is that there are different types of certificate files to check for, and all should go into directories dedicated for their kind for AnyConnect to see them.

To manually install the certificate in a location where AnyConnect expects it to find

in your case do this:

openssl pkcs12 -in source.pfx -out exported.pem -nokeys
openssl pkcs12 -in source.pfx -out exported.key -nocerts

Use the same name beginning for .pem and .key files.

It will ask you for the .pfx file pass to get both the .pem and .key files.

It will ask you to set up a pass for the .key file. There should be a pass repeat prompt and no errors. AnyConnect will ask for this pass after pressing connect button, but before showing login/pass fields for connection authentication.

Either in your user home directory or /opt create these dirs:

.cisco/certificates/client
.cisco/certificates/client/private

You have to create these manually. AnyConnect's installer creates only the /opt/.cisco/certificates/ca directory.

Put the .pem file in the first directory created manually, and the .key file in the second one.

Now AnyConnect should be able to use these as expected, provided all directories and files have correct access rights.

These dirs are mentioned somewhere in Cisco's documentation (Create a PEM Certificate Store for Mac and Linux).

Don't be surprised to see the same error The AnyConnect package on the secure gateway could not be located.... Read below.

How to make the VPN connection actually work the way you want it to:

In my case only using OpenConnect with the same keyfiles worked so far:

Create .pem and .key files as described above,

do steps 4th and 5th from this site

which are:

apt-get install network-manager-openconnect-gnome

open Netwok Connections, go to VPN tab, click new

select Cisco AnyConnect Compatible VPN (openconnect)

Gateway: [vpn.yourcompany.com]

User Certificate: [select your exported.pem]

Private key: [select your exported.key]

and now try connecting

(through network connection applet visible next to clock on screen should work just fine)

it worked for me on xubuntu 14.04

Why does AnyConnnect not work but OpenConnect does?

from /var/log/syslog I found that AnyConnect tries to download something from the server on the other side but gets 404 error several times and thus fails:

(...) acvpnui (...) Description: CTRANSPORT_ERROR_HTTP_RETURNED_ERROR:The HTTP server returned an error code (>= 400) HTTP status code received 404

This error message means that AnyConnect tries to get something from the server on the other side, after having successfully authenticated, and disconnects because the file (apparently necessary for it to work) is not available.

It looks like OpenConnect does not need this file.

Best Answer

Related Solutions

How to create private security certificates that behave like official ones

Firefox – How to properly install certificate issued to me

The answer to your question:

How to make the VPN connection actually work the way you want it to:

Why does AnyConnnect not work but OpenConnect does?

Related Question