On Fri, 2019-05-10 at 12:24 +0900, Ramses Ramirez wrote: > Hello everyone, > > I've have installed openconnect v7.08 on my Centos 7.6 PC through the > epel repository. However, I run into problems with the server not > being able to load my certificate in the given location (see below). > > I did a "yum list | grep [package]" and find that I have the required > packages for installation (libxml2, zlib, openssl, and pkg-config). > > However, It looks like it is not finding my .pem certificate file. Is > it a permissions issue or something else? I believe I am using GnuTLS > instead of openssl (and I don't have a libp11 library from what I can > tell anyway) > Thank you for your help in advance. > > $ openconnect -c /etc/ssh/rsa_private_key.pem xxx.xxx.xxx.x:10443 > POST https://xxx.xxx.xxx.x:10443/ > Connected to xxx.xxx.xxx.x:10443 > Loading certificate failed: No certificate found in file > Loading certificate failed. Aborting. > Failed to open HTTPS connection to xxx.xxx.xxx.x > Failed to obtain WebVPN cookie > $ It isn't finding your certificate because you haven't given it one. What you've given it is a private key. The private key is what actually does the cryptographic operation — it can sign something, and we know that signature can *only* have been produced by whoever/whatever has access to the private key. A certificate is something different. The certificate is a promise, signed by some other third party (a certificate authority or other "issuer", about the identity of whoever/whatever owns the corresponding private key. Typically, SSH doesn't use certificates for its host keys. It remembers the actual *key* of the hosts you connect to, or finds them in DNS or something. I'd be surprised if you had a certificate which was issued to your SSH private host key. Of course it's *possible*, and maybe your organisation's VPN certificate provisioning process does use the SSH host key for its private key. But in that case you should have the certificate somewhere.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
