Hello First of all, thanks for extremely quick reply from your side. Short story: The issue was in missing CA certificate. Long story: 1. I was cloning openconnect from git://git.infradead.org/users/dwmw2/openconnect.git (published at http://www.infradead.org/openconnect/download.html). 2. I?ve got the CA certificate (in DER ) and put it in /etc/ca-certificates/trust-source/anchors/. Run "trust extract-compat. This added the certificate into the /etc/ssl/certs. (above folders are relevant for arch linux) 3. VPN connection was then successfully established. Thanks for the inputs. Take care. On 12/1/17, David Woodhouse <dwmw2 at infradead.org> wrote: > On Fri, 2017-12-01 at 12:58 +0100, Union wrote: >> >> In the past I could successfully connect with the pfx certificate to >> the ASA server with openconnect. >> >> But last couple of weeks this doesn't work anymore. It seems >> connection is established, but at the end, it just throw out the login >> entry (more details in the attachment). > > I take it the certificate hasn't expired? > > The primary version of OpenConnect isn't on github, btw. I'm not sure > which one you're looking at, but it shouldn't make much difference; > this hasn't changed for a while. > > One possibility is that you aren't sending the full trust chain for the > certificate. Given that your client is complaining about an "untrusted" > certificate on the server, that looks like you don't have your > corporate SSL CA installed correctly. > > OpenConnect will include all indermediate CAs in its request on the > wire, if it can find them.... but in your case it won't. Sometimes, the > server admins forget to install the intermediate CAs. And sometimes, > ancient OpenSSL bugs mean that the ASA attempts to use the *wrong* > intermediate CA.
