Spinning in "Refreshing wait.html after 1 second" Loop (CSD Verification)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I think the trouble has something to do with cstub.  Here's the full
log: https://ptpb.pw/7vvE

I'm pretty sure it has something to do with this:

> [Mon Oct 15 18:22:11.449 2018][cstub]Function: in_memory_cert_verify_callback Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 1797 Level: trace :: pre-verify(0)
> [Mon Oct 15 18:22:11.449 2018][cstub]Function: in_memory_cert_verify_callback Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 1886 Level: trace :: CurrentDepth(1) Certificate CN(cdca) IssuerCN(<ROOT_CA>)
> [Mon Oct 15 18:22:11.449 2018][cstub]Function: in_memory_cert_verify_callback Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 1888 Level: error :: verify_rc(0) as Error is occurred at CurrentDepth(1). errcode(20) errval(unable to get local issuer certificate)
> [Mon Oct 15 18:22:11.449 2018][cstub]Function: setup_in_memory_verification_and_verify Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 2014 Level: error :: Failed to validate Server(<HOSTNAME>) certificates, verify_rc(0)
> [Mon Oct 15 18:22:11.449 2018][cstub]Function: hostscan_ssl_verify_callback Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 2150 Level: debug :: Server verification result(Fail) 
> [Mon Oct 15 18:22:11.449 2018][cstub]Function: hs_transport_curl_get Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 3472 Level: debug :: libcurl error: Error
> 
> [Mon Oct 15 18:22:11.449 2018][cstub]Function: hs_transport_get Thread Id: 0x7F7E580 File: hs_transport.c Line: 1456 Level: trace :: sending get request failed
> [Mon Oct 15 18:22:11.450 2018][cstub]Function: hs_download_file_s Thread Id: 0x7F7E580 File: hs_download.c Line: 515 Level: error :: unable to contact peer: (https://<HOSTNAME>).
> [Mon Oct 15 18:22:11.450 2018][cstub]Function: update_file Thread Id: 0x7F7E580 File: update.c Line: 296 Level: error :: unable to download to library: /home/<USER>/.cisco/hostscan/lib/libcsd.so
> [Mon Oct 15 18:22:11.450 2018][cstub]Function: update_library Thread Id: 0x7F7E580 File: update.c Line: 375 Level: warn :: unable to update library: libcsd.so
> [Mon Oct 15 18:22:11.450 2018][cstub]Function: verify_libcsd Thread Id: 0x7F7E580 File: main.c Line: 470 Level: error :: unable to locate libcsd.
> [Mon Oct 15 18:22:11.450 2018][cstub]Function: hs_cache_reset Thread Id: 0x7F7E580 File: hs_cache.c Line: 56 Level: debug :: Resetting cache for '0'
> [Mon Oct 15 18:22:11.450 2018][cstub]Function: hs_transport_free Thread Id: 0x7F7E580 File: hs_transport.c Line: 595 Level: trace :: de-initialization
> [Mon Oct 15 18:22:11.450 2018][cstub]Function: hs_transport_free Thread Id: 0x7F7E580 File: hs_transport.c Line: 639 Level: trace :: de-initialization done
> [Mon Oct 15 18:22:11.450 2018][cstub]Function: halt Thread Id: 0x7F7E580 File: main.c Line: 303 Level: info :: goodbye (-12)


I have <ROOT_CA> installed locally and can do a wget/curl on the VPN
host without issue, so why is cstub failing to verify the host?

- Neil


On Mon, Oct 08, 2018 at 04:38:26AM -0700, Neil E. Hodges wrote:
> Here it is with -vv and set -x:
> 
> > + sh connect.sh
> > [sudo] password for <USER>: 
> > POST https://<HOSTNAME>/
> > Attempting to connect to server <ADDRESS>:<PORT>
> > Connected to <ADDRESS>:<PORT>
> > SSL negotiation with <HOSTNAME>
> > Server certificate verify failed: signer not found
> > Connected to HTTPS on <HOSTNAME>
> > Got HTTP response: HTTP/1.1 200 OK
> > Content-Type: text/html; charset=utf-8
> > Transfer-Encoding: chunked
> > Cache-Control: no-cache
> > Pragma: no-cache
> > Connection: Keep-Alive
> > Date: Mon, 08 Oct 2018 11:33:07 GMT
> > X-Frame-Options: SAMEORIGIN
> > X-Aggregate-Auth: 1
> > HTTP body chunked (-2)
> > XML POST enabled
> > GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
> > --2018-10-08 04:33:07--  https://<HOSTNAME>/CACHE/sdesktop/hostscan/linux_x64/manifest
> > Resolving <HOSTNAME> (<HOSTNAME>)... Got HTTP response: HTTP/1.1 200 OK
> > Content-Type: text/html; charset=utf-8
> > Transfer-Encoding: chunked
> > Cache-Control: no-cache
> > Pragma: no-cache
> > Connection: Close
> > Date: Mon, 08 Oct 2018 11:33:07 GMT
> > X-Frame-Options: SAMEORIGIN
> > HTTP body chunked (-2)
> > Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
> > <ADDRESS>
> > Connecting to <HOSTNAME> (<HOSTNAME>)|<ADDRESS>|:<PORT>... connected.
> > WARNING: The certificate of ?<HOSTNAME>? is not trusted.
> > WARNING: The certificate of ?<HOSTNAME>? hasn't got a known issuer.
> > HTTP request sent, awaiting response... 200 OK
> > 
> >     The file is already fully retrieved; nothing to do.
> > 
> > Got 6 files in manifes, locally found 6
> > /home/<USER>/.cisco/hostscan/bin/cscan: OK
> > /home/<USER>/.cisco/hostscan/bin/cstub: OK
> > /home/<USER>/.cisco/hostscan/lib/libcsd.so: OK
> > /home/<USER>/.cisco/hostscan/lib/libhostscan.so: OK
> > /home/<USER>/.cisco/hostscan/lib/libinspector.so: OK
> > /home/<USER>/.cisco/hostscan/lib/tables.dat: OK
> > Launching: /home/<USER>/.cisco/hostscan/bin/cstub -log error -ticket "<TICKET>" -stub "0" -group "" -host "https://<HOSTNAME>/CACHE" -certhash "<CERTHASH>:"
> > No value set for `/system/proxy/secure_host'
> > No value set for `/system/http_proxy/host'
> > GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
> > SSL negotiation with <HOSTNAME>
> > Server certificate verify failed: signer not found
> > Connected to HTTPS on <HOSTNAME>
> > Got HTTP response: HTTP/1.1 200 OK
> > Content-Type: text/html; charset=utf-8
> > Transfer-Encoding: chunked
> > Cache-Control: no-cache
> > Pragma: no-cache
> > Connection: Close
> > Date: Mon, 08 Oct 2018 11:33:09 GMT
> > X-Frame-Options: SAMEORIGIN
> > HTTP body chunked (-2)
> > Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
> > GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
> > SSL negotiation with <HOSTNAME>
> > Server certificate verify failed: signer not found
> > Connected to HTTPS on <HOSTNAME>
> > Got HTTP response: HTTP/1.1 200 OK
> > Content-Type: text/html; charset=utf-8
> > Transfer-Encoding: chunked
> > Cache-Control: no-cache
> > Pragma: no-cache
> > Connection: Close
> > Date: Mon, 08 Oct 2018 11:33:10 GMT
> > X-Frame-Options: SAMEORIGIN
> > HTTP body chunked (-2)
> > Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
> > GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
> > SSL negotiation with <HOSTNAME>
> > Server certificate verify failed: signer not found
> > Connected to HTTPS on <HOSTNAME>
> > Got HTTP response: HTTP/1.1 200 OK
> > Content-Type: text/html; charset=utf-8
> > Transfer-Encoding: chunked
> > Cache-Control: no-cache
> > Pragma: no-cache
> > Connection: Close
> > Date: Mon, 08 Oct 2018 11:33:11 GMT
> > X-Frame-Options: SAMEORIGIN
> > HTTP body chunked (-2)
> > Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
> > GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
> > SSL negotiation with <HOSTNAME>
> > Server certificate verify failed: signer not found
> > Connected to HTTPS on <HOSTNAME>
> > Got HTTP response: HTTP/1.1 200 OK
> > Content-Type: text/html; charset=utf-8
> > Transfer-Encoding: chunked
> > Cache-Control: no-cache
> > Pragma: no-cache
> > Connection: Close
> > Date: Mon, 08 Oct 2018 11:33:12 GMT
> > X-Frame-Options: SAMEORIGIN
> > HTTP body chunked (-2)
> > Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
> 
> 
> 
> 
> On Wed, Oct 03, 2018 at 04:18:55AM -0700, Neil E. Hodges wrote:
> > Hello,
> > 
> > I've been trying to connect to my workplace's VPN for the first time all
> > morning and haven't had much luck: it just spins in "refreshing
> > ...wait.html after 1 second" indefinitely.  Here's the script I've put
> > together based on everything I've found:
> > 
> > > exec sudo openconnect \
> > >     --user <USERNAME> \
> > >     --cert-expire-warning 15 \
> > >     --servercert '<CERTKEY>' \
> > >     --os win \
> > >     --csd-user <USERNAME> \
> > >     --csd-wrapper '/usr/local/bin/csd-wrapper.sh' \
> > >     https://<HOSTNAME>
> > 
> > The --servercert argument is what openconnect told me to set it as after
> > the first time, and csd-wrapper.sh has been updated with the
> > CSD_HOSTNAME=<HOSTNAME>.  The log output is at the bottom of this
> > message.
> > 
> > I've heard folks saying that if the VPN admins disable Linux support, a
> > different certificate is needed, and that they grabbed the certificate
> > from a Windows box via JailBreak.  I have JailBreak installed and a
> > Windows box that has connected to the same VPN host, but I have no idea
> > what to look for in the certificate store.  Does this seem like it might
> > help?  If so, where in the certificate store should I look, and what
> > should I look for with respect to the certificate name?  If not, what
> > else should I try?
> > 
> > Here's the version info.  It's on a Debian 9.5 system that was just set
> > up a few days ago.
> > 
> > > OpenConnect version v7.08                                                                                                                                                    
> > > Using GnuTLS. Features present: PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS 
> > 
> > Thank you,
> > 
> > - Neil
> > 
> > > POST https://<HOSTNAME>/
> > > Connected to <SERVER_IP>:443
> > > SSL negotiation with <HOSTNAME>
> > > Server certificate verify failed: signer not found
> > > Connected to HTTPS on <HOSTNAME>
> > > XML POST enabled
> > > GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
> > > --2018-10-03 04:07:56--  https://<HOSTNAME>/CACHE/sdesktop/hostscan/linux_x64/manifest
> > > Resolving <HOSTNAME> (<HOSTNAME>)... <SERVER_IP>
> > > Connecting to <HOSTNAME> (<HOSTNAME>)|<SERVER_IP>|:443... Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
> > > connected.
> > > WARNING: The certificate of ?<HOSTNAME>? is not trusted.
> > > WARNING: The certificate of ?<HOSTNAME>? hasn't got a known issuer.
> > > HTTP request sent, awaiting response... 200 OK
> > > 
> > >     The file is already fully retrieved; nothing to do.
> > > 
> > > Got 6 files in manifes, locally found 6
> > > /home/<USERNAME>/.cisco/hostscan/bin/cscan: OK
> > > /home/<USERNAME>/.cisco/hostscan/bin/cstub: OK
> > > /home/<USERNAME>/.cisco/hostscan/lib/libcsd.so: OK
> > > /home/<USERNAME>/.cisco/hostscan/lib/libhostscan.so: OK
> > > /home/<USERNAME>/.cisco/hostscan/lib/libinspector.so: OK
> > > /home/<USERNAME>/.cisco/hostscan/lib/tables.dat: OK
> > > Launching: /home/<USERNAME>/.cisco/hostscan/bin/cstub -log error -ticket "<TICKET>" -stub "0" -group "" -host "https://<HOSTNAME>/CACHE" -certhash "<CERTHASH>"
> > > No value set for `/system/proxy/secure_host'
> > > No value set for `/system/http_proxy/host'
> > > GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
> > > SSL negotiation with <HOSTNAME>
> > > Server certificate verify failed: signer not found
> > > Connected to HTTPS on <HOSTNAME>
> > > Refreshing +CSCOE+/sdesktop/wait.html after 1 second...



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux