Certificate Validation Failure when using smartcard

Kai G <kgroshert@xxxxxxxxxxxxxx> · Sun, 5 Apr 2020 22:13:04 +0200

I'm trying to connect to a Cisco ASA VPN using credentials on a smartcard.

My setup is Ubuntu 18.04 with OpenConnect 7.08.

There are a bunch of certs on the card but think I positively
identified the right one with the help of the anyconnect xml file and
p11tool.

I can connect from Anyconnect on Windows 10 just fine using the same
card but when trying from another PC with linux and openconnect I get
a Certificate Validation Failure message from the server.

Is there anything else I can do to debug this?

Thanks,
Kai

$ openconnect -v -c 'pkcs11:id=%11' --servercert sha256:0123456789
https://vpngw.gw.xx.xx/+webvpn+/index.html
POST https://vpngw.gw.xx.xx/+webvpn+/index.html
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
Using PKCS#11 certificate pkcs11:id=%11;type=cert
PIN required for Card PIN (Generic PKI Card)
Enter PIN:
Using PKCS#11 key
pkcs11:model=PKCS%2315;manufacturer=xxx%20xx;serial=101050111841;token=Card%20PIN%20%28Generic%20PKI%20Card%29;id=%11;type=private
Using client certificate 'Testuser PKI-Test PKI ABCDE'
SSL negotiation with vpngw.gw.xx.xx
Server certificate verify failed: signer not found
Connected to HTTPS on vpngw.gw.xx.xx
Got HTTP response: HTTP/1.1 301 Moved Permanently
Connection: close
X-Transcend-Version: 1
Location: https://vpngw.gw.xx.xx/+webvpn+/index.html
Content-Type: text/html
Content-Length: 0
HTTP body length:  (0)
GET https://vpngw.gw.xx.xx/+webvpn+/index.html
Attempting to connect to server 1.2.3.4:443
Connected to 1.2.3.4:443
SSL negotiation with vpngw.gw.xx.xx
Server certificate verify failed: signer not found
Connected to HTTPS on vpngw.gw.xx.xx
Got HTTP response: HTTP/1.1 200 OK
Transfer-Encoding: chunked
Content-Type: text/xml
Cache-Control: max-age=0
Set-Cookie: webvpn=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpn_as=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; secure
Set-Cookie: webvpnlogin=1; secure
X-Frame-Options: SAMEORIGIN
X-Transcend-Version: 1
HTTP body chunked (-2)
Please enter your username and password.
Certificate Validation Failure
Failed to obtain WebVPN cookie

_______________________________________________
openconnect-devel mailing list
openconnect-devel@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/openconnect-devel