Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error while opening VPN with Pulse Secure

SOLVED
Go to solution
helfgott
Occasional Contributor
‎08-21-2018 06:59:AM
‎08-21-2018 06:59:AM

Error while opening VPN with Pulse Secure

Hi everyone!

 

I'm looking for a way to open our VPN with Pulse Secure client: Pulse Version: 5.3R4.2(639) in Lubuntu 16.04.5

 

Our current VPN is a web page (i.e: http://thisvpn/welcome.cgi) where you provide your username, password+token.

It will launch a Java applet to establish the connection, after the connection is successful a tun0 connection is created.

 

The thing is, when using Pulse Secure the VPN login works (because the session is created) but the applet is never launched, this error is present while executing pulse secure client and trying to connect to the VPN:

 

20180821171918.183883 pulsesvc[p3384.t3388] dsssl.error verify_server_cert_callback : Certificate Verification Failed : error:unable to get local issuer certificate depth:0 errorno:20 (DSSSLSock.cpp:1588)

 

Do anyone know how could I get more information about the error or how to solve it?

 

Regards!

 

Helfgott.

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
helfgott
Occasional Contributor
‎08-22-2018 11:32:AM
‎08-22-2018 11:32:AM

Re: Error while opening VPN with Pulse Secure

Installing the certificate in such ways didn't worked for me (later I've realized I had to rename my lacking certificate to .ctr to append it into /etc/ssl/certs/ca-certificates.crt through dpkg-reconfigure ca-certificates).

 

The solution for this problem is to copy the lacking certificate into the store of certificates used by PulseSecure.

 

In my case I was missing the intermediate certificate: DigiCert Global CA G2, I realized that by using this command:

 

openssl s_client -connect <IP of my VPN CGI>

An error was displayed:

 

 

subject=/C=XX/ST=XXXXX (our certificate)
issuer=/C=US/O=DigiCert Inc/CN=DigiCert GLobal CA G2
Verify return code: 21 (unable to verify the first certificate)

 

Copied the text certificate from: TBS-Certificates

 

In the file on /usr/local/pulse/README says which store is used for each operating system (Ubuntu in my case) so I edited it:

 

 

cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.backup
vim /etc/ssl/certs/ca-certificates.crt

 

Copied and pasted the lacking certificate into it (at the start of ca-certificates.crt)

 

Started again Pulse Secure and everything worked.

Documented this if someone else needs to solve a similar problem.

Regards.

Helfgott

 

EDIT: This process also works:

 

sudo mkdir /usr/share/ca-certificates/extra
sudo cp <YOUR_CERTIFICATE>.crt /usr/share/ca-certificates/extra/
sudo dpkg-reconfigure ca-certificates

But the certificate must be ".crt" otherwise won't be added in ca-certificates store.

 

View solution in original post

4 REPLIES 4
helfgott
Occasional Contributor
‎08-21-2018 12:25:PM
‎08-21-2018 12:25:PM

Re: Error while opening VPN with Pulse Secure

I've found that the client attempts to connect to the VPN but all the connections are in CLOSE_WAIT state.

 

No clues by far Smiley Sad

0 Kudos
helfgott
Occasional Contributor
‎08-21-2018 12:44:PM
‎08-21-2018 12:44:PM

Re: Error while opening VPN with Pulse Secure

I've found more information reading the logs, seems to be a certificate error. I'll update this post if I find a solution.

0 Kudos
helfgott
Occasional Contributor
‎08-21-2018 01:26:PM
‎08-21-2018 01:26:PM

Re: Error while opening VPN with Pulse Secure

The error in {USER}/pulsesvc.log is clear:

 

 

20180821171918.183883 pulsesvc[p3384.t3388] dsssl.error verify_server_cert_callback : Certificate Verification Failed : error:unable to get local issuer certificate depth:0 errorno:20 (DSSSLSock.cpp:1588)

 

 

When executing openssl:

 

 

verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
verify return:1

 

 

The issuer is:

 

i:/C=US/O=DigiCert Inc/CN=DigiCert Global CA G2

Followed the procedures in:

 

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40200

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40574

https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40278

 

Still no luck.

 

0 Kudos
helfgott
Occasional Contributor
‎08-22-2018 11:32:AM
‎08-22-2018 11:32:AM

Re: Error while opening VPN with Pulse Secure

Installing the certificate in such ways didn't worked for me (later I've realized I had to rename my lacking certificate to .ctr to append it into /etc/ssl/certs/ca-certificates.crt through dpkg-reconfigure ca-certificates).

 

The solution for this problem is to copy the lacking certificate into the store of certificates used by PulseSecure.

 

In my case I was missing the intermediate certificate: DigiCert Global CA G2, I realized that by using this command:

 

openssl s_client -connect <IP of my VPN CGI>

An error was displayed:

 

 

subject=/C=XX/ST=XXXXX (our certificate)
issuer=/C=US/O=DigiCert Inc/CN=DigiCert GLobal CA G2
Verify return code: 21 (unable to verify the first certificate)

 

Copied the text certificate from: TBS-Certificates

 

In the file on /usr/local/pulse/README says which store is used for each operating system (Ubuntu in my case) so I edited it:

 

 

cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt.backup
vim /etc/ssl/certs/ca-certificates.crt

 

Copied and pasted the lacking certificate into it (at the start of ca-certificates.crt)

 

Started again Pulse Secure and everything worked.

Documented this if someone else needs to solve a similar problem.

Regards.

Helfgott

 

EDIT: This process also works:

 

sudo mkdir /usr/share/ca-certificates/extra
sudo cp <YOUR_CERTIFICATE>.crt /usr/share/ca-certificates/extra/
sudo dpkg-reconfigure ca-certificates

But the certificate must be ".crt" otherwise won't be added in ca-certificates store.

 

© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.