Enable self signed certificates in OpenConnect GUI


I am trying to connect to a VPN server hosting a self-signed TLS certificate using OpenConnect VPN client. The authentication in VPN is behind Microsoft SSO.

When I try to connect to the VPN (Settings->Network->VPN), a browser pop-up comes up (process is actually /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess) where I can login using SSO but then a message 'Unacceptable TLS certificate' comes up in the pop-up window.

Things I have tried:

  1. Copied the VPN server certificate to /usr/local/share/ca-certificates/extra/, ran sudo update-ca-certificates --fresh.
Clearing symlinks in /etc/ssl/certs...
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
138 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

I manually checked – the certificate did get appended to /etc/ssl/certs/ca-certificates.crt

  1. Added the certificate in the VPN configuration (Settings->Network->VPN->VPN 1->Identity-> CA Certificate). But still getting 'Unacceptable TLS certificate'.

My findings:

  • In openconnect cli tool, there is a parameter to pass certificate sha --servercert. But thats in the cli. Not sure if there is something similar for openconnect network-manager GUI.
  • Checking the running processes confirmed that the GUI is part of webkit2.
  • webkit2 probably doesn't support self signed certificates

OS: Ubuntu 23.10 OpenConnect Version: v9.12-1. Using GnuTLS 3.8.1.

Best Answer

My best guess about why there was 'Unacceptable TLS certificate' error in the first place is probably the webkit2 browsers (launched by network-manager openconnect for SSO) is not reading the certificates from /etc/ssl/certs - and that is strange.

Workaround solution:

  1. Setup mitmproxy and its mitmproxy CA. Run proxy from terminal using mitmdump --ssl-insecure
  2. Configure and enable proxy in network manager. (Settings -> Network -> Proxy(Manual)). Default host and port for mitmproxy is
  3. Now try to connect to VPN. It should work.
  4. Once the VPN connection is established you can kill the mitmdump process and toggle the proxy off in network settings. It won't affect the VPN connection.

What is essentially happening is, the proxy server won't verify the TLS cert offered by the VPN server (because of the --ssl-insecure parameter). This lets us do the SSO.

Note - It is important to stop the proxy server once the VPN connection is established as the proxy server is running in insecure mode.

Tip - Once the proxy details have been put in proxy settings, the proxy can be toggled on using gsettings set org.gnome.system.proxy mode 'manual' and toggled off using gsettings set org.gnome.system.proxy mode 'none'. Using these commands make it a bit easier.

Related Question