| Summary: | Will not connect to openconnect vpn if signer not found | ||
|---|---|---|---|
| Product: | [Plasma] plasma-nm | Reporter: | Leon Maurer <leon.maurer> |
| Component: | general | Assignee: | Lukáš Tinkl <lukas> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ashkanull, danie.theron.101, drdemsey, eindjedrop, frapell, gorilych, ioann.sys, jgrulich, kai.hofstetter, rdieter, sajan, serhii.dovhan, tschenturs |
| Priority: | NOR | ||
| Version: | 5.3.0 | ||
| Target Milestone: | --- | ||
| Platform: | Kubuntu | ||
| OS: | Linux | ||
| Latest Commit: | http://commits.kde.org/plasma-nm/77282d889333d558e805ef744627d567cf9816e9 | Version Fixed In: | |
| Sentry Crash Report: | |||
I should add that this sounds very similar to bug 308630. Same problem here. After upgrading from kubuntu 14.10 to 15.04 is is not possible to setup a vpn connection if the certificate is not recognized. using network-manager-openconnect. On a system running ubuntu 15.04 (also upgraded from 14.10) using network-manager-openconnect-gnome everything works. Problem is that under kubuntu the screen for accepting the certificate is shown but the connection is already refused. The errorlog op openconnect is the same as with Leon. There is not even the change to provide your credentials. ================== POST https://xxx.yyy.eu/ Attempting to connect to server xxx.xxx.xxx.xxx:443 SSL negotiation with xxx.yyy.eu Server certificate verify failed: signer not found SSL connection failure: Error in the certificate. Failed to open HTTPS connection to xxx.yyy.eu ======================================= I have the same problem here. Installed Kubuntu 15.04 from scratch & installed network-manager-openconnect (including dependencies - openconnect + vpnc-scripts) POST https://hostx.domainy.com/ Attempting to connect to server xx.x.xx.xxx:443 SSL negotiation with hostx.domainy.com Server certificate verify failed: signer not found SSL connection failure: Error in the certificate. Failed to open HTTPS connection to hostx.domainy.com Also did not ask me for my credentials. Versions: vpnc-scripts (0.1~git20140806-1) openconnect (6.00-1) network-manager-openconnect (0.9.10.0-1ubuntu2) Workaround - connect to VPN from command line: $ sudo openconnect hostx.domainy.com POST https://hostx.domainy.com/ Attempting to connect to server xx.x.xx.xxx:443 SSL negotiation with hostx.domainy.com Server certificate verify failed: signer not found Certificate from VPN server "hostx.domainy.com" failed verification. Reason: signer not found Enter 'yes' to accept, 'no' to abort; anything else to view: yes Connected to HTTPS on hostx.domainy.com XML POST enabled Please enter your username and password. GROUP: [SSL]:SSL POST https://hostx.domainy.com/ XML POST enabled Please enter your username and password. Username:domain123\professorx Password: POST https://hostx.domainy.com/ Got CONNECT response: HTTP/1.1 200 OK CSTP connected. DPD 30, Keepalive 20 Connect Banner: | Notice: This system is intended solely for users authorized by ABC | Worldwide, Inc. and related and affiliated entities ('ABC'). By | continuing to access this system you agree to be bound by these | terms: | Any unauthorized use, misuse, or disclosure of information | contained in this system may result in disciplinary action for ABC | employees, up to and including termination of employment; | termination of business relationship with ABC or further legal action. | Connected tun0 as xx.x.xxx.xxx, using SSL Established DTLS connection (using GnuTLS). Ciphersuite AES128-SHA. Same problem on latest Fedora22 (Linux localhost.localdomain 4.1.3-201.fc22.x86_64). Works on fedora 22 gnome and fedora 21 kde log says : POST https://example.com/ Attempting to connect to server 146.12.36.55:443 SSL negotiation with example Server certificate verify failed: signer not found SSL connection failure: Error in the certificate. Failed to open HTTPS connection to example.com POST https://example.com/ Attempting to connect to server 146.12.36.55:443 SSL negotiation with example.com Server certificate verify failed: signer not found SSL connection failure: Error in the certificate. Failed to open HTTPS connection to example.com POST https://example.com/ Attempting to connect to server 146.12.36.55:443 SSL negotiation with example.com Server certificate verify failed: signer not found SSL connection failure: Error in the certificate. Failed to open HTTPS connection to example.com I also am having this exact same issue KDE Plasma 5.3.2 Hitting "Ok" to accept certificate will just fail If connecting from CLI works fine: $ sudo openconnect example.com -u user POST https://example.com/ Attempting to connect to server 8.8.8.8:443 SSL negotiation with example.com Server certificate verify failed: signer not found Certificate from VPN server "example.com" failed verification. Reason: signer not found Enter 'yes' to accept, 'no' to abort; anything else to view: yes Connected to HTTPS on example.com Disabling XML POST due to authgroup option GET https://example.com/ Attempting to connect to server 8.8.8.8:443 SSL negotiation with example.com Server certificate verify failed: signer not found Connected to HTTPS on example.com Got HTTP response: HTTP/1.0 302 Object Moved GET https://example.com/+webvpn+/index.html SSL negotiation with example.com Server certificate verify failed: signer not found Connected to HTTPS on example.com Please enter your username and password. GROUP: [Group-A|Group-B]:Group-A Password: POST https://example.com/+webvpn+/index.html Got CONNECT response: HTTP/1.1 200 OK CSTP connected. DPD 30, Keepalive 20 Connected tun0 as 10.0.8.69, using SSL + deflate Established DTLS connection (using OpenSSL) *** This bug has been confirmed by popular vote. *** I have same problem in archlinux with plasma5. Even if openconnect in command line works fine and trusts to server sertificate, Network Manager doesn't work. I have the same problem in Kubuntu 15.10 (Plasma 5.4.2). I have the same problem after upgrading to Kubuntu 15.04 (from Kubuntu 15.10) sorry, to 15.10 from 15.04 of course Found the reason, why vpn didn't work after the upgrade! After the upgrade, the user certificate file is also used for the CA certificate! Hi @Leon After upgrade openSUSE distro 13.2 -> Leap 42.1 i have got similar problem (plasma-nm5-openconnect-5.4.2). The VPN server to which I am trying to connect, has an untrusted certificate (self-signed) and in addition its CN does not match the hostname. POST https://my-vpn-server Attempting to connect to server my-vpn-server-ip:443 SSL negotiation with centaur1.visiona.com Server certificate verify failed: signer not found SSL connection failure: Error in the certificate. Failed to open HTTPS connection to my-vpn-server To get around this, I added the untrusted certificate in the edit VPN in "CA Certificate" (first saving it as a .cer by with some HTML browser) I have tested your link https://dept-ra-cssc.vpn.wisc.edu/ and it work for me. POST https://dept-ra-cssc.vpn.wisc.edu/ Attempting to connect to server 144.92.42.108:443 SSL negotiation with dept-ra-cssc.vpn.wisc.edu Connected to HTTPS on dept-ra-cssc.vpn.wisc.edu Got HTTP response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Cache-Control: no-cache Pragma: no-cache Connection: Keep-Alive Date: Sun, 08 Nov 2015 16:28:14 GMT X-Frame-Options: SAMEORIGIN X-Aggregate-Auth: 1 HTTP body chunked (-2) XML POST enabled I am getting a dialogue to select a group and enter a user name and password. To me it looks like in your system (some truststore / cacerts) lack Root CA that issued the certificate for "InCommon RSA Server CA". Analyzing the certificate chain it would be "USERTrust RSA Certification Authority". Try download certificate from https://dept-ra-cssc.vpn.wisc.edu/ and add that certificate (the path to .cer) at set up a VPN connection. Some problem on Debian Stretch. I fix that with next steps: 1. apt-get install cinammon 2. apt-get install network-manager-openconnect-gnome 3. Create new VPN connection in GUI 4. That work 5. Change session to Plasma 6. At now, network-manager with openconnect work fine. Git commit 42f0cbd57677cde47d671774fc099c33ab749c7e by Jan Grulich. Committed on 02/12/2015 at 08:25. Pushed by grulich into branch 'master'. Revert: avoid using dialog->exec() in openconnect VPN plugin We need to wait for the dialog result before we continue M +9 -11 vpn/openconnect/openconnectauth.cpp http://commits.kde.org/plasma-nm/42f0cbd57677cde47d671774fc099c33ab749c7e Git commit 77282d889333d558e805ef744627d567cf9816e9 by Jan Grulich. Committed on 02/12/2015 at 08:26. Pushed by grulich into branch 'Plasma/5.5'. Revert: avoid using dialog->exec() in openconnect VPN plugin We need to wait for the dialog result before we continue M +9 -11 vpn/openconnect/openconnectauth.cpp http://commits.kde.org/plasma-nm/77282d889333d558e805ef744627d567cf9816e9 |
First off, let me say that that I'm not certain that this is a problem with KDE; it could be a problem with some underlying software. All I know is that this problem showed up when I upgraded from Kubuntu 14.10 to 15.04, which included an upgrade to Frameworks 5. However, it may be a KDE problem, so I'll start here. If I try to connect to a vpn I use, I get a pop-up saying: Check failed for certificate from VPN server "dept-ra-cssc.vpn.wisc.edu". Reason: signer not found Accept it anyway? This is not new (it happened with previous versions of networkmanager). However when I tell it to connect anyway, the pop-up goes away and the main windows says: Failed to open HTTPS connection to dept-ra-cssc.vpn.wisc.edu Not surprisingly, network manager does not connect to the VPN. If I click "View Log", I get the following: POST https://dept-ra-cssc.vpn.wisc.edu/ Attempting to connect to server 144.92.42.108:443 SSL negotiation with dept-ra-cssc.vpn.wisc.edu Server certificate verify failed: signer not found SSL connection failure: Error in the certificate. Failed to open HTTPS connection to dept-ra-cssc.vpn.wisc.edu FWIW, in the popup, there is the following additional information: X.509 Certificate Information: Version: 3 Serial Number (hex): 0080ebb5df10f74fb514696ef69e148cc8 Issuer: C=US,ST=MI,L=Ann Arbor,O=Internet2,OU=InCommon,CN=InCommon RSA Server CA Validity: Not Before: Thu Feb 05 00:00:00 UTC 2015 Not After: Tue Mar 06 23:59:59 UTC 2018 Subject: C=US,postalCode=53706,ST=WI,L=Madison,street=1210 West Dayton Street,O=University of Wisconsin-Madison,OU=OCIS,CN=dept-ra-cssc.vpn.wisc.edu,1.2.840.113549.1.9.2=#162366612d637373632d623338302d31302d76706e2d7072693138732e776973632e656475 Subject Public Key Algorithm: RSA Algorithm Security Level: Medium (2048 bits) Modulus (bits 2048): 00:af:b4:00:a1:43:61:66:e1:d0:e6:02:2d:05:51:44 17:38:02:4e:f1:54:b4:fd:9c:cb:e9:37:ae:38:bf:c5 f7:13:4b:4b:5b:a7:17:72:58:c5:e5:00:ee:b2:37:10 a8:67:46:f7:55:33:30:d0:09:3f:7f:ae:81:6e:63:63 7c:5b:32:0a:9a:84:a5:4f:f2:4c:e5:0b:08:24:db:5b 4d:a2:b2:aa:32:52:8c:6b:90:6c:83:dd:94:5d:77:54 7f:5a:70:3a:95:61:36:25:8f:7c:48:e4:84:00:b6:95 4c:5a:c7:39:3e:a5:a2:42:aa:60:8a:78:78:e4:3b:9c 4e:fa:15:3a:93:89:76:b5:80:13:a9:08:ef:ac:65:c0 e2:98:44:f4:cc:46:ef:e3:49:37:18:ab:a9:7b:73:00 7a:b2:4b:b8:93:06:72:a3:da:7c:77:35:08:fa:f5:ad 74:29:0c:1b:cd:2f:ef:4c:fc:b9:34:82:25:e9:10:0a 13:7f:f5:59:85:81:6b:e4:ad:ce:42:f2:3d:b7:e5:9a 6b:70:74:79:ad:39:68:13:4e:ca:58:79:95:28:26:5e 69:75:de:af:f1:d1:f6:f2:a7:86:35:0b:31:7e:8a:d4 ea:77:e3:21:e0:be:f9:0d:a7:e5:2f:bf:99:3e:9c:04 db Exponent (bits 24): 01:00:01 Extensions: Authority Key Identifier (not critical): 1e05a3778f6c96e25b874ba6b486ac71000ce738 Subject Key Identifier (not critical): 62aca730c0842d047d64bba0915fb654830f4f6f Key Usage (critical): Digital signature. Key encipherment. Basic Constraints (critical): Certificate Authority (CA): FALSE Key Purpose (not critical): TLS WWW Server. TLS WWW Client. Certificate Policies (not critical): 1.3.6.1.4.1.5923.1.4.3.1.1 URI: https://www.incommon.org/cert/repository/cps_ssl.pdf 2.23.140.1.2.2 CRL Distribution points (not critical): URI: http://crl.incommon-rsa.org/InCommonRSAServerCA.crl Authority Information Access (not critical): Access Method: 1.3.6.1.5.5.7.48.2 (id-ad-caIssuers) Access Location URI: http://crt.usertrust.com/InCommonRSAServerCA_2.crt Access Method: 1.3.6.1.5.5.7.48.1 (id-ad-ocsp) Access Location URI: http://ocsp.usertrust.com Subject Alternative Name (not critical): DNSname: dept-ra-cssc.vpn.wisc.edu Signature Algorithm: RSA-SHA256 Signature: 63:88:8b:e2:7f:8b:ff:28:a2:0e:b0:16:9a:69:9a:f8 dc:9d:6d:df:09:e2:d1:78:48:65:74:30:e7:c4:45:aa ba:19:8f:40:28:7b:d6:aa:1d:de:81:73:cb:70:5d:1f 58:6a:1d:cd:10:cf:98:4c:38:56:d4:ab:0f:2c:be:bb b0:27:22:21:91:3c:60:57:95:4e:aa:2d:ee:3b:10:9f b8:f0:54:ed:0e:68:20:ee:12:77:08:2b:66:7b:49:21 3c:f3:1b:2c:45:eb:a0:f1:96:3c:e6:b4:4c:7f:33:d4 61:19:41:ad:11:11:46:ff:94:0a:9b:2f:75:2e:19:a6 22:4e:e4:ef:77:8b:5e:b3:f8:38:9d:ba:1e:51:8c:43 9f:0b:d8:2c:1a:52:be:00:eb:a1:f7:3a:42:83:8c:13 ec:9c:9e:e0:e9:76:28:fb:9c:a9:29:51:32:cd:0f:1c 1e:ff:a9:dc:52:61:fa:f9:de:39:a8:de:34:cf:0e:06 b7:b8:e0:2f:cd:92:75:7a:7d:41:db:c8:6e:5c:2c:58 5e:70:fa:45:df:fa:91:ec:85:40:db:da:1e:95:0a:c2 c4:64:6f:85:62:d7:96:79:f3:6e:99:60:a2:a8:f4:c9 ae:43:58:6e:53:12:f0:9e:16:d5:59:dd:5b:fc:73:88 Other Information: SHA1 fingerprint: 89db514cabc86168864a02d7ad28fbd1de0ef2d4 SHA256 fingerprint: a8d1f7a7ef260005ef8d5aeafa43e2ecd75fedd2763306869e1a4397e0243fb3 Public Key ID: fd87d52d2889ce6f20da039597c90d3581a6f33b Public key's random art: +--[ RSA 2048]----+ | o+. | | + . | | = = | | = =o.. . ..| | . +S + . o o| | . .oo o o . | | + .oo o . | | . o E.. . | | . o. | +-----------------+ Reproducible: Always