5

I have installed cisco anyconnect secure mobile client 4.2.01022 (+all required packages).

Then added .pfx certificates to gnone2-key storage.

Then I launched cisco anyconnect secure mobile client typed where to connect - but cisco keep saying me that Certificate validation failure

Tried this:

sudo cp /etc/ssl/certs/Global* /opt/.cisco/certificates/ca

link was created but didn't help. How to connect?

UPD:

This way I have extracted some certificates in different formats:

openssl pkcs12 -in store.pfx -clcerts -nokeys -out domain.cer
openssl pkcs12 -in store.pfx -nocerts -nodes  -out domain.key
openssl pkcs12 -in store.pfx -out domain.crt -nodes -nokeys -cacerts
openssl pkcs12 -in  store.pfx  -nocerts -out domain.pem -nodes

Got 4 files:

domain.cer
domain.key
domain.crt
domain.pem

Placed all 4 of them in 3 different places:

~/.cisco/certificates/ca ~

Trusted CA and root certificates

~/.cisco/certificates/client

Client certificates

~/.cisco/certificates/client/private

Private keys

Same error.

UPD2: Tried to configure cisco anyconnect compatible with openconnect (which integrated to linux network center): It asks to set: 

CA certificate (it has to be domain.crt, so chosen it)
User certificate  (that is it? - didnt choose)
Private key  (I think its domain.key, so chosen it)

But if tries to connect:

Certificate from VPN server [host ip] failed verification.
Reason: certificate does not match hostname
Do you want to accept it?

    Certificate from VPN server "194.176.96.4" failed verification.
    Reason: certificate does not match hostname
    Do you want to accept it?

With below info:
X.509 Certificate Information:
    Version: 3
    Serial Number (hex): ****
    Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=GeoTrust RSA CA 2018
    Validity:
       Not Before: **
        Not After: **
    Subject: C=RU,ST=[city],L=[city],O=[company name],OU=IT,CN=vpn.[companyname].ru
    Subject Public Key Algorithm: RSA
    Algorithm Security Level: Medium (2048 bits)
....

I accept - and same error Certificate validation failure, full log:

POST https://[host_name]/
Attempting to connect to server [host_name]:443
SSL negotiation with [host_name]
Server certificate verify failed: certificate does not match hostname
Connected to HTTPS on [host_name]
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 26 Aug 2018 08:43:32 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
Server requested SSL client certificate; none was configured
POST https://[host_name]/
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Sun, 26 Aug 2018 08:43:32 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled

PS: On windows same steps worked, added cert by double clicking then launched cisco client, typed server, then he asked password to server I quess - and then I was connected.

Improve this question
1
  • Can you try connection again and copy the logs from system.log and share it on any external file sharing server ? I can take a look. Also check this thread on how to get private key, pem file from pfx.
    – Mahesh
    Commented Aug 26, 2018 at 11:13

3 Answers 3

Reset to default
4

AnyConnect supports PEM format client certificates for authentication. Check administrator guide on how to configure client certificates for Linux platform. Copy the client certificate to the folder ~/.cisco/certificates/client and the private key to ~/.cisco/certificates/client/private. Also -

  • All certificate files must end with the extension .pem.
  • All private key files must end with the extension .key.
  • A client certificate and its corresponding private key must have the same filename. For example: client.pem and client.key.
Improve this answer
2
  • 1
    I have extracted - same error. Such folder I had to create manually - is it ok? Because I'm sure that cisco actually look at that folders
    – Rocketq
    Commented Aug 26, 2018 at 7:03
  • 1
    Yes, user is expected to create those folders. Installer will not create these.
    – Mahesh
    Commented Aug 26, 2018 at 11:09
1

You can use openconnect:

  • Install it:

sudo apt-get install network-manager-openconnect-gnome

  • Convert .pfx cert to .pem

openssl pkcs12 -in file.pfx -out file.pem -nodes

  • In your GNOME / KDE open Settings > Network menu. In standard VPN settings you should see Cisco AnyConnect Compatible VPN item: Network menu
Improve this answer
0

I had a similar problem, though I'm not sure i'm using the mobile version of AnyConnect. My OS is Fedora 29. The VPN I'm trying to connect to uses a browser trusted certificate, but not one bundled with the version of Anyconnect I had installed.

The package ca-certificates was already installed on my OS, and ships the necessary certificate, so I symlinked /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem to /opt/.cisco/certificates/ca.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .