On Wed, 2018-11-07 at 11:15 -0500, Adam Allgood wrote: > Thanks so much for the response! I think I found the issuer cert > needed (unless it's causing the problems below) - and I exported it > from the chrome certificate manager as a .pem file. I no longer got a > certificate validation failure, Thanks for following up. So... the question becomes, "could OpenConnect have found that cert in the Chrome certificate store for itself without your help?". I understand you're running in an Ubuntu chroot? There must be *some* set of trusted certificates, but this intermediate isn't necessarily trusted at all even in Chrome OS. It's just a link in a chain. I'm guessing there's not a lot we can do here. If there is an NSS database in ~/.pki/nssdb/ visible to OpenConnect, perhaps there's an argument that we should at least have an option to try looking there? > and after telling the shill program in > ChromeOS to stop destroying my tun0 devices (sudo stop shill followed > by sudo start shill BLACKLISTED_DEVICES="tun0,br0"), I got a stable > connection! What names does shill permit by default? Should we just use a different name on Chrome OS? You can change it with the '--interface' option. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5213 bytes Desc: not available URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20181107/e6fa5926/attachment.bin>
