Hello, I've been trying to connect to my workplace's VPN for the first time all morning and haven't had much luck: it just spins in "refreshing ...wait.html after 1 second" indefinitely. Here's the script I've put together based on everything I've found:
> exec sudo openconnect \ > --user <USERNAME> \ > --cert-expire-warning 15 \ > --servercert '<CERTKEY>' \ > --os win \ > --csd-user <USERNAME> \ > --csd-wrapper '/usr/local/bin/csd-wrapper.sh' \ > https://<HOSTNAME> The --servercert argument is what openconnect told me to set it as after the first time, and csd-wrapper.sh has been updated with the CSD_HOSTNAME=<HOSTNAME>. The log output is at the bottom of this message. I've heard folks saying that if the VPN admins disable Linux support, a different certificate is needed, and that they grabbed the certificate from a Windows box via JailBreak. I have JailBreak installed and a Windows box that has connected to the same VPN host, but I have no idea what to look for in the certificate store. Does this seem like it might help? If so, where in the certificate store should I look, and what should I look for with respect to the certificate name? If not, what else should I try? Here's the version info. It's on a Debian 9.5 system that was just set up a few days ago. > OpenConnect version v7.08 > > > Using GnuTLS. Features present: PKCS#11, RSA software token, HOTP software > token, TOTP software token, Yubikey OATH, System keys, DTLS Thank you, - Neil > POST https://<HOSTNAME>/ > Connected to <SERVER_IP>:443 > SSL negotiation with <HOSTNAME> > Server certificate verify failed: signer not found > Connected to HTTPS on <HOSTNAME> > XML POST enabled > GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html > --2018-10-03 04:07:56-- > https://<HOSTNAME>/CACHE/sdesktop/hostscan/linux_x64/manifest > Resolving <HOSTNAME> (<HOSTNAME>)... <SERVER_IP> > Connecting to <HOSTNAME> (<HOSTNAME>)|<SERVER_IP>|:443... Refreshing > +CSCOE+/sdesktop/wait.html after 1 second... > connected. > WARNING: The certificate of ‘<HOSTNAME>’ is not trusted. > WARNING: The certificate of ‘<HOSTNAME>’ hasn't got a known issuer. > HTTP request sent, awaiting response... 200 OK > > The file is already fully retrieved; nothing to do. > > Got 6 files in manifes, locally found 6 > /home/<USERNAME>/.cisco/hostscan/bin/cscan: OK > /home/<USERNAME>/.cisco/hostscan/bin/cstub: OK > /home/<USERNAME>/.cisco/hostscan/lib/libcsd.so: OK > /home/<USERNAME>/.cisco/hostscan/lib/libhostscan.so: OK > /home/<USERNAME>/.cisco/hostscan/lib/libinspector.so: OK > /home/<USERNAME>/.cisco/hostscan/lib/tables.dat: OK > Launching: /home/<USERNAME>/.cisco/hostscan/bin/cstub -log error -ticket > "<TICKET>" -stub "0" -group "" -host "https://<HOSTNAME>/CACHE" -certhash > "<CERTHASH>" > No value set for `/system/proxy/secure_host' > No value set for `/system/http_proxy/host' > GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html > SSL negotiation with <HOSTNAME> > Server certificate verify failed: signer not found > Connected to HTTPS on <HOSTNAME> > Refreshing +CSCOE+/sdesktop/wait.html after 1 second... _______________________________________________ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
