On Tue, 2016-04-05 at 10:55 -0400, Michael Welsh Duggan wrote: > Thomas Haller <thal...@redhat.com> writes: > > > > > On Mon, 2016-04-04 at 22:09 -0400, Michael Welsh Duggan wrote: > > > > > > I'm having some difficulties using network-manager-openconnect. > > > > > > If I use openconnect directly: > > > > > > openconnect -c cert.pfx --authgroup=[GROUP] --no-xmlpost > > > [SERVER] > > > > > > everything works just fine. > > > > > > When I use network-manager I get the following: > > > > > > Server requested SSL client certificate after one was provided > > > Certificate Validation Failure > > > > > > This used to work (many months ago). I don't know whether an > > > update > > > of > > > nm was why things changed, or if it was a change of the VPN > > > server at > > > work. > > > > > > I am using network-manager and network-manager-openconnect from > > > Debian > > > unstable: > > > > > > network-manager 0.9.10.0-1 > > > network-manager-openconnect 0.9.8.6-1 > > > > > > I'm happy to provide more debugging information if someone would > > > tell > > > me > > > what to provide. > > > > When nm-openconnect starts openconnect binary, it runs as a > > different > > user. Make sure that that user is able to access the certificate. > And what user might that be? NetworkManager and nm-dispatcher are > running as root, as is nm-openconnect-service. Also, if it could not > access the certificates, I would expect a different type of error.
nm-openconnect runs as root, but it spawns the actual openconnect process as the 'nm-openconnect' user for security. That user must be able to access your certificates. Unfortunately libraries like OpenSSL/GnuTLS don't have great verbose error reporting, and the "Certificate Validation Failure" message comes from there, most likely (since it's not part of nm-openconnect source). They don't report it to nm-openconnect, so nm-openconnect doesn't have a great way to get it back to you, the user. Dan > > > > For example, if you have SELinux enabled, it needs proper labels. > > Usually that means, the certificate should be in ~user/.certs > > directory. Try with SELinux permissive mode or search for audit > > warnings. > I do not have SELinux enabled. > _______________________________________________ networkmanager-list mailing list networkmanager-list@gnome.org https://mail.gnome.org/mailman/listinfo/networkmanager-list
