The apparently misleading error The AnyConnect package on the secure gateway could not be located...
means AnyConnect does in fact use the certificate, which you wanted it to use.
If your goal is to have the VPN connection work as expected, this is not a problem with proper installation of your certificate for AnyConnect to use.
How to make the VPN connection actually work in this case is below the answer to your initial question.
The answer to your question:
AnyConnect checks various locations for certificate files, including those used by web browsers.
What complicates the issue is that there are different types of certificate files to check for, and all should go into directories dedicated for their kind for AnyConnect to see them.
To manually install the certificate in a location where AnyConnect expects it to find
in your case do this:
openssl pkcs12 -in source.pfx -out exported.pem -nokeys
openssl pkcs12 -in source.pfx -out exported.key -nocerts
Use the same name beginning for .pem
and .key
files.
It will ask you for the .pfx
file pass to get both the .pem
and .key
files.
It will ask you to set up a pass for the .key
file. There should be a pass repeat prompt and no errors.
AnyConnect will ask for this pass after pressing connect button, but before showing login/pass fields for connection authentication.
Either in your user home directory or /opt
create these dirs:
.cisco/certificates/client
.cisco/certificates/client/private
You have to create these manually. AnyConnect's installer creates only the /opt/.cisco/certificates/ca
directory.
Put the .pem
file in the first directory created manually, and the .key
file in the second one.
Now AnyConnect should be able to use these as expected, provided all directories and files have correct access rights.
These dirs are mentioned somewhere in Cisco's documentation (Create a PEM Certificate Store for Mac and Linux).
Don't be surprised to see the same error The AnyConnect package on the secure gateway could not be located...
. Read below.
How to make the VPN connection actually work the way you want it to:
In my case only using OpenConnect with the same keyfiles worked so far:
Create .pem
and .key
files as described above,
do steps 4th and 5th from this site
which are:
apt-get install network-manager-openconnect-gnome
open Netwok Connections, go to VPN tab, click new
select Cisco AnyConnect Compatible VPN (openconnect)
Gateway: [vpn.yourcompany.com]
User Certificate: [select your exported.pem]
Private key: [select your exported.key]
and now try connecting
(through network connection applet visible next to clock on screen should work just fine)
it worked for me on xubuntu 14.04
Why does AnyConnnect not work but OpenConnect does?
from /var/log/syslog
I found that AnyConnect tries to download something from the server on the other side but gets 404 error
several times and thus fails:
(...) acvpnui
(...) Description: CTRANSPORT_ERROR_HTTP_RETURNED_ERROR:The HTTP server returned an error code (>= 400) HTTP status code received 404
This error message means that AnyConnect tries to get something from the server on the other side, after having successfully authenticated, and disconnects because the file (apparently necessary for it to work) is not available.
It looks like OpenConnect does not need this file.
Best Answer
I had the same experience. I downloaded and installed a Flash grabber program from Softonic and realized almost immediately from the sluggish behavior of my machine that I had picked up rogue software along with the program. I immediately uninstalled the program and rebooted, but then I started getting the relentless CE_UmbrellaCert warning pop-up window. As you mention, it makes the machine unusable. I rolled back as you did which got rid of the warning window, but I was still suspicious about what had been causing the relentless certificate warning pop-up even though the offending program had been uninstalled.
I installed Malware Bytes Free (made sure I updated it with its latest definitions) and did a full system scan. It found 3 PUP (Probably Unwanted Program) items that I didn't have before.
Registry Keys Detected: 1 HKCU\Software\Softonic\Universal Downloader (PUP.Optional.Softonic.A) -> No action taken
Folders Detected: 1 C:\Documents and Settings\Margaret\Application Data\ContentExplorer (PUP.Optional.ContentExplorer.A) -> No action taken.
Files Detected: 1 C:\Documents and Settings\Margaret\Application Data\ContentExplorer\RootCert.cer (PUP.Optional.ContentExplorer.A) -> No action taken.
I checked the little boxes to get rid of the items, but first I had a look at the "RootCert.cer" file. It was a "DO_NOT_TRUST_FiddlerRoot" certificate.
I wish I could help you directly identify which program was causing your CE_UmbrellaCert warning, but I suspect that you must have intentionally or unintentionally installed something or upgraded something just prior to your getting the warning pop-ups that altered your system. That would be the culprit program, add-on or update that you're trying to identify.
Have you tried running a full system scan with the latest updated version of Malware Bytes? It would be interesting to see if you find a registry item and/or a RootCert.cer file on your system as I did.