Enable self signed certificates in OpenConnect GUI

23.10networkingopenconnectsslvpn

I am trying to connect to a VPN server hosting a self-signed TLS certificate using OpenConnect VPN client. The authentication in VPN is behind Microsoft SSO.

When I try to connect to the VPN (Settings->Network->VPN), a browser pop-up comes up (process is actually /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess) where I can login using SSO but then a message 'Unacceptable TLS certificate' comes up in the pop-up window.

Things I have tried:

Copied the VPN server certificate to /usr/local/share/ca-certificates/extra/, ran sudo update-ca-certificates --fresh.

Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
138 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

I manually checked – the certificate did get appended to /etc/ssl/certs/ca-certificates.crt

Added the certificate in the VPN configuration (Settings->Network->VPN->VPN 1->Identity-> CA Certificate). But still getting 'Unacceptable TLS certificate'.

My findings:

In openconnect cli tool, there is a parameter to pass certificate sha --servercert. But thats in the cli. Not sure if there is something similar for openconnect network-manager GUI.
Checking the running processes confirmed that the GUI is part of webkit2.
webkit2 probably doesn't support self signed certificates

OS: Ubuntu 23.10 OpenConnect Version: v9.12-1. Using GnuTLS 3.8.1.

Best Answer

My best guess about why there was 'Unacceptable TLS certificate' error in the first place is probably the webkit2 browsers (launched by network-manager openconnect for SSO) is not reading the certificates from /etc/ssl/certs - and that is strange.

Workaround solution:

Setup mitmproxy and its mitmproxy CA. Run proxy from terminal using mitmdump --ssl-insecure
Configure and enable proxy in network manager. (Settings -> Network -> Proxy(Manual)). Default host and port for mitmproxy is 127.0.0.1:8080
Now try to connect to VPN. It should work.
Once the VPN connection is established you can kill the mitmdump process and toggle the proxy off in network settings. It won't affect the VPN connection.

What is essentially happening is, the proxy server won't verify the TLS cert offered by the VPN server (because of the --ssl-insecure parameter). This lets us do the SSO.

Note - It is important to stop the proxy server once the VPN connection is established as the proxy server is running in insecure mode.

Tip - Once the proxy details have been put in proxy settings, the proxy can be toggled on using gsettings set org.gnome.system.proxy mode 'manual' and toggled off using gsettings set org.gnome.system.proxy mode 'none'. Using these commands make it a bit easier.

Related Solutions

Ubuntu – How to Use HTTPS with DHCP in ownCloud

It is probably failing because you have not configured the server for https. Apache configuration for https requires that you listen to port 443 as well as port 80 and configure the server for TLS with a certificate.

(example from apache documentation)

LoadModule ssl_module modules/mod_ssl.so
Listen 443
<VirtualHost *:443>
    ServerName www.example.com
    SSLEngine on
    SSLCertificateFile "/path/to/www.example.com.cert"
    SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost>

Ubuntu documentation for configuring HTTPS

Ubuntu – List and remove unofficially installed CA certificates

dpkg -S somefile will tell you what package somefile belongs to. You can use dpkg --verify pkgname or debsums to see if they have been modified.

You can use those to verify /etc/ca-certificates.conf and the directories it refers to -- basically, verify that CA files belong ca-certificates + dpkg-reconfigure -plow ca-certificates to chose among them. As you may have guessed, update-ca-certificates uses this data to recreate the global CA store files.

I don't have an easy answer for app-specific stores like Chrome's and Firefox's. You'd basically start by looking for global configuration directories, if any (dpkg -L), and then look into each user profile to see if custom CAs have been installed in that profile: look at the files, diff with a new one, check if the account is corporate-managed, ... StackOverflow or SuperUser can help more directly.

Obligatory note: installing packages from untrusted third parties can mess up the system in many ways (running any untrusted script, really). I think yours is still a fair question, since benign software sometimes adds a CA and won't try to hide the fact. However, if you suspect someone might have modified your system behind your back, it's far safer to reinstall.