Thank you for your help @csuchindra, it's much appreciated.
Here is another link to the image from my first post: https://pasteboard.co/Hj1cRTx.png
I tried starting from scratch:
1) Installed the .deb and all required dependencies.
2) Installed the CA files and running update-ca-certificates as root (I can see in the command output that the new certificates are correctly imported)
3) Installing the client certificate from the pfx files (I have several of them, without and without full certificate chain).
But still no luck. I used the same user to install the client certificates and to start the pulse UI, and the logs are already at the "detailled" verbosity.
Still looking what might be wrong.
It's a SHA-256 client certificate.
The image I attached is a screenshot of the pulse UI program. The error message is displayed right after I submit my username and password.
You will get exactly the same error message if you try to login into the web portal using a browser, but without any compatible client certificate installed.
Does only cert auth work (rather than either cert auth as secondary or a realm restriction for the certificate)? I am not sure what that image appears to show is supported.
I missed your first question.
Only cert auth is working, so I assume it's some kind of realm restriction.
I assume you have already added the Client CA in the Trusted Client CA section in the PCS device. None the less, I would recommend you to kindly open a case with Pulse Support so one of the tech can have a look at the same and assist you right away.
I assume you have already added the Client CA in the Trusted Client CA section in the PCS device.
Yes, I would say that the Pulse server configuration is OK, since I was able to use the exact same client certificate and credentials to login and start a VPN session from Windows.
I think I'll try the official support and report back here if they find anything. Thanks for your help everyone.
I am facing the exact same issue. There is no dialog windows to select the client certs poping up.
/usr/local/pulse/PulseClient_x86_64.sh list_installed_certificates confirms that the client cert is there, seahorse/gnome-keyring shows the privatekey, and the PCS CA is installed in the machine ca store.
Trying to connect to the same url with my firefox browser using the client cert however works. Any idea?
After quite some hunting with ldd and strings and testing on Ubuntu 16.04, i found out why it is not working on Ubuntu 18.04. You will have to modify the /usr/local/pulse/PulseClient_x86_64.sh and change the line which says:
elif [ $UBUNTU_VER = 16 ] || [ $UBUNTU_VER = 17 ]; then
to include Ubuntu Bionic:
elif [ $UBUNTU_VER = 16 ] || [ $UBUNTU_VER = 17 ] || [ $UBUNTU_VER = 18 ]; then
You'll have to do the same for the ubuntu post install script in /var/lib/dpkg/info/pulse.postinst , and run the pulse.postinst again. When this has run it should work, given you have added the certs with pulseclient and also installed the PCS cert in the ca-certificates store.
You can verify that the PulseUi now has libgnome-keyring linked in, by running:
ldd /usr/local/pulse/pulseUi | grep gnom
It should print out something like this:
libgnome-keyring.so.0 => /usr/lib/x86_64-linux-gnu/libgnome-keyring.so.0 (0x00007fbfae598000)
I really hope pulse secure fixes this soon!
Thanks for the information. Also, regret the inconvenience caused
I just noticed that the fix mentioned by you is there in the latest version 9.0 R2 of the client. Request you to please try that out