I am trying to connect to a VPN server hosting a self-signed TLS certificate using OpenConnect VPN client. The authentication in VPN is behind Microsoft SSO.
When I try to connect to the VPN (Settings->Network->VPN), a browser pop-up comes up (process is actually /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess) where I can login using SSO but then a message 'Unacceptable TLS certificate' comes up in the pop-up window.
Things I have tried:
- Copied the VPN server certificate to
/usr/local/share/ca-certificates/extra/
, ransudo update-ca-certificates --fresh
.
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
138 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
I manually checked – the certificate did get appended to /etc/ssl/certs/ca-certificates.crt
- Added the certificate in the VPN configuration (Settings->Network->VPN->VPN 1->Identity-> CA Certificate). But still getting 'Unacceptable TLS certificate'.
My findings:
- In
openconnect
cli tool, there is a parameter to pass certificate sha--servercert
. But thats in the cli. Not sure if there is something similar for openconnect network-manager GUI. - Checking the running processes confirmed that the GUI is part of webkit2.
- webkit2 probably doesn't support self signed certificates
OS: Ubuntu 23.10
OpenConnect Version: v9.12-1
. Using GnuTLS 3.8.1
.
Best Answer
My best guess about why there was 'Unacceptable TLS certificate' error in the first place is probably the webkit2 browsers (launched by network-manager openconnect for SSO) is not reading the certificates from
/etc/ssl/certs
- and that is strange.Workaround solution:
mitmdump --ssl-insecure
mitmdump
process and toggle the proxy off in network settings. It won't affect the VPN connection.What is essentially happening is, the proxy server won't verify the TLS cert offered by the VPN server (because of the
--ssl-insecure
parameter). This lets us do the SSO.Note - It is important to stop the proxy server once the VPN connection is established as the proxy server is running in insecure mode.
Tip - Once the proxy details have been put in proxy settings, the proxy can be toggled on using
gsettings set org.gnome.system.proxy mode 'manual'
and toggled off usinggsettings set org.gnome.system.proxy mode 'none'
. Using these commands make it a bit easier.