I think the trouble has something to do with cstub. Here's the full log: https://ptpb.pw/7vvE I'm pretty sure it has something to do with this: > [Mon Oct 15 18:22:11.449 2018][cstub]Function: in_memory_cert_verify_callback Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 1797 Level: trace :: pre-verify(0) > [Mon Oct 15 18:22:11.449 2018][cstub]Function: in_memory_cert_verify_callback Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 1886 Level: trace :: CurrentDepth(1) Certificate CN(cdca) IssuerCN(<ROOT_CA>) > [Mon Oct 15 18:22:11.449 2018][cstub]Function: in_memory_cert_verify_callback Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 1888 Level: error :: verify_rc(0) as Error is occurred at CurrentDepth(1). errcode(20) errval(unable to get local issuer certificate) > [Mon Oct 15 18:22:11.449 2018][cstub]Function: setup_in_memory_verification_and_verify Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 2014 Level: error :: Failed to validate Server(<HOSTNAME>) certificates, verify_rc(0) > [Mon Oct 15 18:22:11.449 2018][cstub]Function: hostscan_ssl_verify_callback Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 2150 Level: debug :: Server verification result(Fail) > [Mon Oct 15 18:22:11.449 2018][cstub]Function: hs_transport_curl_get Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 3472 Level: debug :: libcurl error: Error > > [Mon Oct 15 18:22:11.449 2018][cstub]Function: hs_transport_get Thread Id: 0x7F7E580 File: hs_transport.c Line: 1456 Level: trace :: sending get request failed > [Mon Oct 15 18:22:11.450 2018][cstub]Function: hs_download_file_s Thread Id: 0x7F7E580 File: hs_download.c Line: 515 Level: error :: unable to contact peer: (https://<HOSTNAME>). > [Mon Oct 15 18:22:11.450 2018][cstub]Function: update_file Thread Id: 0x7F7E580 File: update.c Line: 296 Level: error :: unable to download to library: /home/<USER>/.cisco/hostscan/lib/libcsd.so > [Mon Oct 15 18:22:11.450 2018][cstub]Function: update_library Thread Id: 0x7F7E580 File: update.c Line: 375 Level: warn :: unable to update library: libcsd.so > [Mon Oct 15 18:22:11.450 2018][cstub]Function: verify_libcsd Thread Id: 0x7F7E580 File: main.c Line: 470 Level: error :: unable to locate libcsd. > [Mon Oct 15 18:22:11.450 2018][cstub]Function: hs_cache_reset Thread Id: 0x7F7E580 File: hs_cache.c Line: 56 Level: debug :: Resetting cache for '0' > [Mon Oct 15 18:22:11.450 2018][cstub]Function: hs_transport_free Thread Id: 0x7F7E580 File: hs_transport.c Line: 595 Level: trace :: de-initialization > [Mon Oct 15 18:22:11.450 2018][cstub]Function: hs_transport_free Thread Id: 0x7F7E580 File: hs_transport.c Line: 639 Level: trace :: de-initialization done > [Mon Oct 15 18:22:11.450 2018][cstub]Function: halt Thread Id: 0x7F7E580 File: main.c Line: 303 Level: info :: goodbye (-12) I have <ROOT_CA> installed locally and can do a wget/curl on the VPN host without issue, so why is cstub failing to verify the host? - Neil On Mon, Oct 08, 2018 at 04:38:26AM -0700, Neil E. Hodges wrote: > Here it is with -vv and set -x: > > > + sh connect.sh > > [sudo] password for <USER>: > > POST https://<HOSTNAME>/ > > Attempting to connect to server <ADDRESS>:<PORT> > > Connected to <ADDRESS>:<PORT> > > SSL negotiation with <HOSTNAME> > > Server certificate verify failed: signer not found > > Connected to HTTPS on <HOSTNAME> > > Got HTTP response: HTTP/1.1 200 OK > > Content-Type: text/html; charset=utf-8 > > Transfer-Encoding: chunked > > Cache-Control: no-cache > > Pragma: no-cache > > Connection: Keep-Alive > > Date: Mon, 08 Oct 2018 11:33:07 GMT > > X-Frame-Options: SAMEORIGIN > > X-Aggregate-Auth: 1 > > HTTP body chunked (-2) > > XML POST enabled > > GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html > > --2018-10-08 04:33:07-- https://<HOSTNAME>/CACHE/sdesktop/hostscan/linux_x64/manifest > > Resolving <HOSTNAME> (<HOSTNAME>)... Got HTTP response: HTTP/1.1 200 OK > > Content-Type: text/html; charset=utf-8 > > Transfer-Encoding: chunked > > Cache-Control: no-cache > > Pragma: no-cache > > Connection: Close > > Date: Mon, 08 Oct 2018 11:33:07 GMT > > X-Frame-Options: SAMEORIGIN > > HTTP body chunked (-2) > > Refreshing +CSCOE+/sdesktop/wait.html after 1 second... > > <ADDRESS> > > Connecting to <HOSTNAME> (<HOSTNAME>)|<ADDRESS>|:<PORT>... connected. > > WARNING: The certificate of ?<HOSTNAME>? is not trusted. > > WARNING: The certificate of ?<HOSTNAME>? hasn't got a known issuer. > > HTTP request sent, awaiting response... 200 OK > > > > The file is already fully retrieved; nothing to do. > > > > Got 6 files in manifes, locally found 6 > > /home/<USER>/.cisco/hostscan/bin/cscan: OK > > /home/<USER>/.cisco/hostscan/bin/cstub: OK > > /home/<USER>/.cisco/hostscan/lib/libcsd.so: OK > > /home/<USER>/.cisco/hostscan/lib/libhostscan.so: OK > > /home/<USER>/.cisco/hostscan/lib/libinspector.so: OK > > /home/<USER>/.cisco/hostscan/lib/tables.dat: OK > > Launching: /home/<USER>/.cisco/hostscan/bin/cstub -log error -ticket "<TICKET>" -stub "0" -group "" -host "https://<HOSTNAME>/CACHE" -certhash "<CERTHASH>:" > > No value set for `/system/proxy/secure_host' > > No value set for `/system/http_proxy/host' > > GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html > > SSL negotiation with <HOSTNAME> > > Server certificate verify failed: signer not found > > Connected to HTTPS on <HOSTNAME> > > Got HTTP response: HTTP/1.1 200 OK > > Content-Type: text/html; charset=utf-8 > > Transfer-Encoding: chunked > > Cache-Control: no-cache > > Pragma: no-cache > > Connection: Close > > Date: Mon, 08 Oct 2018 11:33:09 GMT > > X-Frame-Options: SAMEORIGIN > > HTTP body chunked (-2) > > Refreshing +CSCOE+/sdesktop/wait.html after 1 second... > > GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html > > SSL negotiation with <HOSTNAME> > > Server certificate verify failed: signer not found > > Connected to HTTPS on <HOSTNAME> > > Got HTTP response: HTTP/1.1 200 OK > > Content-Type: text/html; charset=utf-8 > > Transfer-Encoding: chunked > > Cache-Control: no-cache > > Pragma: no-cache > > Connection: Close > > Date: Mon, 08 Oct 2018 11:33:10 GMT > > X-Frame-Options: SAMEORIGIN > > HTTP body chunked (-2) > > Refreshing +CSCOE+/sdesktop/wait.html after 1 second... > > GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html > > SSL negotiation with <HOSTNAME> > > Server certificate verify failed: signer not found > > Connected to HTTPS on <HOSTNAME> > > Got HTTP response: HTTP/1.1 200 OK > > Content-Type: text/html; charset=utf-8 > > Transfer-Encoding: chunked > > Cache-Control: no-cache > > Pragma: no-cache > > Connection: Close > > Date: Mon, 08 Oct 2018 11:33:11 GMT > > X-Frame-Options: SAMEORIGIN > > HTTP body chunked (-2) > > Refreshing +CSCOE+/sdesktop/wait.html after 1 second... > > GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html > > SSL negotiation with <HOSTNAME> > > Server certificate verify failed: signer not found > > Connected to HTTPS on <HOSTNAME> > > Got HTTP response: HTTP/1.1 200 OK > > Content-Type: text/html; charset=utf-8 > > Transfer-Encoding: chunked > > Cache-Control: no-cache > > Pragma: no-cache > > Connection: Close > > Date: Mon, 08 Oct 2018 11:33:12 GMT > > X-Frame-Options: SAMEORIGIN > > HTTP body chunked (-2) > > Refreshing +CSCOE+/sdesktop/wait.html after 1 second... > > > > > On Wed, Oct 03, 2018 at 04:18:55AM -0700, Neil E. Hodges wrote: > > Hello, > > > > I've been trying to connect to my workplace's VPN for the first time all > > morning and haven't had much luck: it just spins in "refreshing > > ...wait.html after 1 second" indefinitely. Here's the script I've put > > together based on everything I've found: > > > > > exec sudo openconnect \ > > > --user <USERNAME> \ > > > --cert-expire-warning 15 \ > > > --servercert '<CERTKEY>' \ > > > --os win \ > > > --csd-user <USERNAME> \ > > > --csd-wrapper '/usr/local/bin/csd-wrapper.sh' \ > > > https://<HOSTNAME> > > > > The --servercert argument is what openconnect told me to set it as after > > the first time, and csd-wrapper.sh has been updated with the > > CSD_HOSTNAME=<HOSTNAME>. The log output is at the bottom of this > > message. > > > > I've heard folks saying that if the VPN admins disable Linux support, a > > different certificate is needed, and that they grabbed the certificate > > from a Windows box via JailBreak. I have JailBreak installed and a > > Windows box that has connected to the same VPN host, but I have no idea > > what to look for in the certificate store. Does this seem like it might > > help? If so, where in the certificate store should I look, and what > > should I look for with respect to the certificate name? If not, what > > else should I try? > > > > Here's the version info. It's on a Debian 9.5 system that was just set > > up a few days ago. > > > > > OpenConnect version v7.08 > > > Using GnuTLS. Features present: PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS > > > > Thank you, > > > > - Neil > > > > > POST https://<HOSTNAME>/ > > > Connected to <SERVER_IP>:443 > > > SSL negotiation with <HOSTNAME> > > > Server certificate verify failed: signer not found > > > Connected to HTTPS on <HOSTNAME> > > > XML POST enabled > > > GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html > > > --2018-10-03 04:07:56-- https://<HOSTNAME>/CACHE/sdesktop/hostscan/linux_x64/manifest > > > Resolving <HOSTNAME> (<HOSTNAME>)... <SERVER_IP> > > > Connecting to <HOSTNAME> (<HOSTNAME>)|<SERVER_IP>|:443... Refreshing +CSCOE+/sdesktop/wait.html after 1 second... > > > connected. > > > WARNING: The certificate of ?<HOSTNAME>? is not trusted. > > > WARNING: The certificate of ?<HOSTNAME>? hasn't got a known issuer. > > > HTTP request sent, awaiting response... 200 OK > > > > > > The file is already fully retrieved; nothing to do. > > > > > > Got 6 files in manifes, locally found 6 > > > /home/<USERNAME>/.cisco/hostscan/bin/cscan: OK > > > /home/<USERNAME>/.cisco/hostscan/bin/cstub: OK > > > /home/<USERNAME>/.cisco/hostscan/lib/libcsd.so: OK > > > /home/<USERNAME>/.cisco/hostscan/lib/libhostscan.so: OK > > > /home/<USERNAME>/.cisco/hostscan/lib/libinspector.so: OK > > > /home/<USERNAME>/.cisco/hostscan/lib/tables.dat: OK > > > Launching: /home/<USERNAME>/.cisco/hostscan/bin/cstub -log error -ticket "<TICKET>" -stub "0" -group "" -host "https://<HOSTNAME>/CACHE" -certhash "<CERTHASH>" > > > No value set for `/system/proxy/secure_host' > > > No value set for `/system/http_proxy/host' > > > GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html > > > SSL negotiation with <HOSTNAME> > > > Server certificate verify failed: signer not found > > > Connected to HTTPS on <HOSTNAME> > > > Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
