cancel
Showing results for 
Search instead for 
Did you mean: 

ipad juno pulse cert error

scoutt_
Contributor

ipad juno pulse cert error

I receive an error when signing it to Pulse. It says that "The certificate is not valid for this server." Now it seems we started getting this error when we renewed our root cert on the SA. Goiing into Safari it shows the cert is invalid as not trusted. We did renew our cert to be a *.domain.com instead of a bunch of certs. It appears that iOS doesn't care for a start cert that covers everything. How do we make it work. Every users ipad gets this error. I do not see any certs in the pulse configuration.

10 REPLIES 10
zanyterp_
Respected Contributor

Re: ipad juno pulse cert error

Any extra certificates should be possible to remove at Settings>General>Profiles.
It is possible that the CA is not one of the ones that is built-in to iOS or that something in the renewal is not being picked up. If you remove and then add the connection again, does it work without the error?
zanyterp_
Respected Contributor

Re: ipad juno pulse cert error

were you able to get the wireshark trace from the iPad using the instructionst posted by muttbarker?

do you see the same failure through a desktop browser (guessing not, but wanted to confirm).

the intermediate cert you are looking for is the one that signed the cert (for example, deviceCert>intermediateCert>rootCA)

muttbarker_
Valued Contributor

Re: ipad juno pulse cert error

You can do captures on an iPad using a facility called "remote virtual interface" - I have done it and it works nicely. Here is a link to the Apple Developers site explaining how it works.

http://developer.apple.com/library/mac/#qa/qa1176/_index.html#//apple_ref/doc/uid/DTS10001707-CH1-SE...

Go to the section labeled IOS Packet Tracing. A bunch of steps but can come in handy.





Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
scoutt_
Contributor

Re: ipad juno pulse cert error

Sorry guys, been real busy lately. I have added our cert to the intermediate CA's. Still has the question popup. But maybe I didn't add the correct cert? What Intermediate CA is it looking for?

Zan, I will look into whireshark, but not sure if it will work on the Ipad.

scoutt_
Contributor

Re: ipad juno pulse cert error

Thanks zan,

I beleive I fixed the cert error, it was the order in the SA that was wrong. But now login seems to work, according to the logs, but the pulse comes back and says "Connection Error" Server is not responding. But as I said, the trace log in the SA shows session was created just fine. I might have to open a ticket unless somebody know what is going on.




info - [70.199.224.40] - \User(ipad)[ipad] - 2013/08/06 09:46:56 - Sign-in successful, creating session
info - [70.199.224.40] - \User(ipad)[ipad] - 2013/08/06 09:46:56 - Session created, redirecting user to start page. Sign-in done.
info - [70.199.224.40] - \User(ipad)[ipad] - 2013/08/06 09:46:56 - Automatically redirected from page "login" to the next start page "/dana/home/starter0.cgi?check=yes" before starting the session.

scoutt_
Contributor

Re: ipad juno pulse cert error

forget it guys, I found the problem. bad wireless for the server disconnect



scoutt_
Contributor

Re: ipad juno pulse cert error

I do not have a MAC to work on this with. I do not get the error on the desktop version of Pulse and when I view it in Firefox the cert looks good, it doesn't show anything wrong with it.

Anyway to remove the certs on the ipad?

SVK_
Regular Contributor

Re: ipad juno pulse cert error

May be the device does not have the proper chain like  missig intermediate certificates.

 

Please follow the kb

http://kb.pulsesecure.net/kb15613

 

configure the certificate chain in the Juniper SA

 

Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks!!

 

Regards,

SVK

zanyterp_
Respected Contributor

Re: ipad juno pulse cert error

It should be fine to use the wildcard cert; can you share your server name (possibly PM)? If you take a tcp dump on the port you connect against, save it as raw, and then decide the traffic in wireshark as SSL, do you see the correct chain being sent down?