Yes, sure, ca-cert set, log shows "[main] processed 1 CA certificate(s)", and the cert-user-oid set to use CN too, but no luck. On Sun, Dec 8, 2013 at 3:45 AM, Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote: > On Sun, 2013-12-08 at 01:59 +0800, Karl wrote: >> Hi, >> >> In my config, it has: >> >> auth = "certificate" auth = "plain[/opt/ocserv/passwd]" >> >> but AnyConnect client failed to connect, debug log shows: >> >> "No certificate was found." >> >> add "always-require-cert=false", it goes further, but still has error >> like: >> >> "error verifying client certificate." Did I miss something or buggy in >> 0.2.2? > > You'll need to set the authority that signed the client certificate > with the ca-cert option. Otherwise ocserv doesn't know how which > certificates are valid. > > regards, > Nikos > >
