cancel
Showing results for 
Search instead for 
Did you mean: 

Linux: installing the client certificate

jre
Occasional Contributor

Re: Linux: installing the client certificate

Thank you for your help @csuchindra, it's much appreciated.

 

Here is another link to the image from my first post: https://pasteboard.co/Hj1cRTx.png

 

I tried starting from scratch:

1) Installed the .deb and all required dependencies.

2) Installed the CA files and running update-ca-certificates as root (I can see in the command output that the new certificates are correctly imported)

3) Installing the client certificate from the pfx files (I have several of them, without and without full certificate chain).

 

But still no luck. I used the same user to install the client certificates and to start the pulse UI, and the logs are already at the "detailled" verbosity.

 

Still looking what might be wrong.

Moderator

Re: Linux: installing the client certificate

Is it a SHA1 or SHA2 certificate (client)?
Does only cert auth work (rather than either cert auth as secondary or a realm restriction for the certificate)? I am not sure what that image appears to show is supported.
jre
Occasional Contributor

Re: Linux: installing the client certificate

Hi @zanyterp,

It's a SHA-256 client certificate.

The image I attached is a screenshot of the pulse UI program. The error message is displayed right after I submit my username and password.

You will get exactly the same error message if you try to login into the web portal using a browser, but without any compatible client certificate installed.

jre
Occasional Contributor

Re: Linux: installing the client certificate


Does only cert auth work (rather than either cert auth as secondary or a realm restriction for the certificate)? I am not sure what that image appears to show is supported. 

I missed your first question.

 

Only cert auth is working, so I assume it's some kind of realm restriction.

Visitor

Re: Linux: installing the client certificate

Hi Jean,

 

I assume you have already added the Client CA in the Trusted Client CA section in the PCS device. None the less, I would recommend you to kindly open a case with Pulse Support so one of the tech can have a look at the same and assist you right away.

 

jre
Occasional Contributor

Re: Linux: installing the client certificate

Hi @srohit


 

I assume you have already added the Client CA in the Trusted Client CA section in the PCS device.

 


Yes, I would say that the Pulse server configuration is OK, since I was able to use the exact same client certificate and credentials to login and start a VPN session from Windows.

 

I think I'll try the official support and report back here if they find anything. Thanks for your help everyone.

Moderator

Re: Linux: installing the client certificate

Thank you for the confirmation of your steps
I believe that what you are doing, cert restriction, is not supported on the Linux client
New Contributor

Re: Linux: installing the client certificate

I am facing the exact same issue.  There is no dialog windows to select the client certs poping up. 

/usr/local/pulse/PulseClient_x86_64.sh list_installed_certificates confirms that the client cert is there, seahorse/gnome-keyring shows the privatekey, and the PCS CA is installed in the machine ca store. 

 

Trying to connect to the same url with my firefox browser using the client cert however works. Any idea?

New Contributor

Re: Linux: installing the client certificate

After quite some hunting with ldd and strings and testing on Ubuntu 16.04, i found out why it is not working on Ubuntu 18.04. You will have to modify the /usr/local/pulse/PulseClient_x86_64.sh and change the line which says:

 

elif [ $UBUNTU_VER = 16 ] || [ $UBUNTU_VER = 17 ]; then

 

to include Ubuntu Bionic:

elif [ $UBUNTU_VER = 16 ] || [ $UBUNTU_VER = 17 ] || [ $UBUNTU_VER = 18 ]; then

 

You'll have to do the same for the ubuntu post install script in /var/lib/dpkg/info/pulse.postinst , and run the pulse.postinst again. When this has run it should work, given you have added the certs with pulseclient and also installed the PCS cert in the ca-certificates store. 

 

You can verify that the PulseUi now has libgnome-keyring linked in, by running:

 ldd /usr/local/pulse/pulseUi | grep gnom

 

It should print out something like this:

 

libgnome-keyring.so.0 => /usr/lib/x86_64-linux-gnu/libgnome-keyring.so.0 (0x00007fbfae598000)

 

I really hope pulse secure fixes this soon!

/E

 

 

 

Highlighted
Contributor

Re: Linux: installing the client certificate

Hi @espenmy

 

Thanks for the information. Also, regret the inconvenience caused

 

I just noticed that the fix mentioned by you is there in the latest version 9.0 R2 of the client. Request you to please try that out