0

I am trying to connect to a VPN server hosting a self-signed TLS certificate using OpenConnect VPN client. The authentication in VPN is behind Microsoft SSO.

When I try to connect to the VPN (Settings->Network->VPN), a browser pop-up comes up (process is actually /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess) where I can login using SSO but then a message 'Unacceptable TLS certificate' comes up in the pop-up window.

Things I have tried:

  1. Copied the VPN server certificate to /usr/local/share/ca-certificates/extra/, ran sudo update-ca-certificates --fresh.
Clearing symlinks in /etc/ssl/certs...
done.
Updating certificates in /etc/ssl/certs...
rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL
138 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

I manually checked - the certificate did get appended to /etc/ssl/certs/ca-certificates.crt

  1. Added the certificate in the VPN configuration (Settings->Network->VPN->VPN 1->Identity-> CA Certificate). But still getting 'Unacceptable TLS certificate'.

My findings:

  • In openconnect cli tool, there is a parameter to pass certificate sha --servercert. But thats in the cli. Not sure if there is something similar for openconnect network-manager GUI.
  • Checking the running processes confirmed that the GUI is part of webkit2.
  • webkit2 probably doesn't support self signed certificates

OS: Ubuntu 23.10 OpenConnect Version: v9.12-1. Using GnuTLS 3.8.1.

4
  • Looking at the screenshot in askubuntu.com/questions/994123/… the GUI has a "CA certificate" option. Did you try to specify your self-signed certificate here? Commented Apr 17 at 16:52
  • Yes, I did try that. (2nd point under things I have tried). Commented Apr 17 at 18:17
  • Is the self-signed certificate really a CA certificate, i.e. usable to sign certificates? Check if CA:true. Only these can be used as trust anchor. Commented Apr 17 at 19:18
  • The self-signed cert does have CA:TRUE field. Regardless, I found a workaround to the whole issue. Commented Apr 19 at 6:03

1 Answer 1

0

My best guess about why there was 'Unacceptable TLS certificate' error in the first place is probably the webkit2 browsers (launched by network-manager openconnect for SSO) is not reading the certificates from /etc/ssl/certs - and that is strange.

Workaround solution:

  1. Setup mitmproxy and its mitmproxy CA. Run proxy from terminal using mitmdump --ssl-insecure
  2. Configure and enable proxy in network manager. (Settings -> Network -> Proxy(Manual)). Default host and port for mitmproxy is 127.0.0.1:8080
  3. Now try to connect to VPN. It should work.
  4. Once the VPN connection is established you can kill the mitmdump process and toggle the proxy off in network settings. It won't affect the VPN connection.

What is essentially happening is, the proxy server won't verify the TLS cert offered by the VPN server (because of the --ssl-insecure parameter). This lets us do the SSO.

Note - It is important to stop the proxy server once the VPN connection is established as the proxy server is running in insecure mode.

Tip - Once the proxy details have been put in proxy settings, the proxy can be toggled on using gsettings set org.gnome.system.proxy mode 'manual' and toggled off using gsettings set org.gnome.system.proxy mode 'none'. Using these commands make it a bit easier.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .