cancel
Showing results for 
Search instead for 
Did you mean: 

Error while opening VPN with Pulse Secure

SOLVED
Occasional Contributor

Error while opening VPN with Pulse Secure

Hi everyone!

 

I'm looking for a way to open our VPN with Pulse Secure client: Pulse Version: 5.3R4.2(639) in Lubuntu 16.04.5

 

Our current VPN is a web page (i.e: http://thisvpn/welcome.cgi) where you provide your username, password+token.

It will launch a Java applet to establish the connection, after the connection is successful a tun0 connection is created.

 

The thing is, when using Pulse Secure the VPN login works (because the session is created) but the applet is never launched, this error is present while executing pulse secure client and trying to connect to the VPN:

 

20180821171918.183883 pulsesvc[p3384.t3388] dsssl.error verify_server_cert_callback : Certificate Verification Failed : error:unable to get local issuer certificate depth:0 errorno:20 (DSSSLSock.cpp:1588)

 

Do anyone know how could I get more information about the error or how to solve it?

 

Regards!

 

Helfgott.

4 REPLIES
Occasional Contributor

Re: Error while opening VPN with Pulse Secure

I've found that the client attempts to connect to the VPN but all the connections are in CLOSE_WAIT state.

 

No clues by far Smiley Sad

Occasional Contributor

Re: Error while opening VPN with Pulse Secure

I've found more information reading the logs, seems to be a certificate error. I'll update this post if I find a solution.

Occasional Contributor

Re: Error while opening VPN with Pulse Secure

The error in {USER}/pulsesvc.log is clear:

 

 

20180821171918.183883 pulsesvc[p3384.t3388] dsssl.error verify_server_cert_callback : Certificate Verification Failed : error:unable to get local issuer certificate depth:0 errorno:20 (DSSSLSock.cpp:1588)

 

 

When executing openssl:

 

 

verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
verify return:1

 

 

The issuer is:

 

i:/C=US/O=DigiCert Inc/CN=DigiCert Global CA G2

Followed the procedures in:

 

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40200

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40574

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40278

 

Still no luck.

 

Highlighted
Occasional Contributor

Re: Error while opening VPN with Pulse Secure

Installing the certificate in such ways didn't worked for me (later I've realized I had to rename my lacking certificate to .ctr to append it into /etc/ssl/certs/ca-certificates.crt through dpkg-reconfigure ca-certificates).

 

The solution for this problem is to copy the lacking certificate into the store of certificates used by PulseSecure.

 

In my case I was missing the intermediate certificate: DigiCert Global CA G2, I realized that by using this command:

 

openssl s_client -connect <IP of my VPN CGI>

An error was displayed:

 

 

subject=/C=XX/ST=XXXXX (our certificate)
issuer=/C=US/O=DigiCert Inc/CN=DigiCert GLobal CA G2
Verify return code: 21 (unable to verify the first certificate)

 

Copied the text certificate from: TBS-Certificates

 

In the file on /usr/local/pulse/README says which store is used for each operating system (Ubuntu in my case) so I edited it:

 

 

cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.backup
vim /etc/ssl/certs/ca-certificates.crt

 

Copied and pasted the lacking certificate into it (at the start of ca-certificates.crt)

 

Started again Pulse Secure and everything worked.

Documented this if someone else needs to solve a similar problem.

Regards.

Helfgott

 

EDIT: This process also works:

 

sudo mkdir /usr/share/ca-certificates/extra
sudo cp <YOUR_CERTIFICATE>.crt /usr/share/ca-certificates/extra/
sudo dpkg-reconfigure ca-certificates

But the certificate must be ".crt" otherwise won't be added in ca-certificates store.