I know that there are related topics with this issue but I've been following them all and I cannot get the pulse secure vpn working so I would appreciate if you can help me on this.
Are you using the hostname or IP address of the VPN server?
Can you please send me the VPN server URL as PM?
Thanks for your reply. Check PM.
@nrodrigues Thank you for the message. This issue normally occurs if the VPN server uses a certificate which was signed by either a private CA or self-signed or in some cases, it could be due to the incomplete the certificate chain.
Please access the VPN server portal from any browser like Google Chrome and see if get any cert warning message and then view the certificate to get an idea about the CA details. I know there is a openssl command to get the complete certificate printed in base64 format, which you can copy and create a .crt file from it.
openssl s_client -showcerts -connect <VPN hostname>:443
# Please run the command and share the output as PM.
Yes, when I open the URL on chrome it says "Not secure" and NET::ERR_CERT_AUTHORITY_INVALID.
I followed that info in the past, I've tried to extract the complete certificate chain in many ways and formats and after that I've tried to import to use it in pulse but no success. I'm sending you the output you requested by PM.
Thank you for sending the openssl output for review. It seems that the VPN server is sending the complete certificate chain, however the Root CA is not present in the Linux machine for validating the chain. It cannot be downloaded online (searched ), since it's a private CA (AIA attribute in the Int.CA does not have the location to download the Root CA certificate - Secured)
depth=2 C = XX, O = XXXXXX, OU = YYYYY, CN = ZZZZZ Intermediate CA
verify error:num=20:unable to get local issuer certificate
With that said, please request your IT team to provide a copy of the Root CA certificate stating the problem caused by the incomplete chain and installing that on the Linux machine CA store should resolve the issue.
Thank you Ray! I'll try to find out who can send me the certificate and I'll let you know later if it's working