Nov 6, 2011
Fixing Certificate Errors with Cisco AnyConnect
“AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network.”
There may be several reasons for this error, which you’ll find on other pages that hit for a search on this string.
The reason that I encountered seems to be unique. What I found by digging into a wireshark capture is that AnyConnect sends a TLS alert to the server, disconnecting the session. The alert message says “Unknown CA”.
It could have something to do with installing the firefox plugin “Certificate Patrol” recently. AnyConnect apparently uses firefox’s certificate store. Perhaps Certificate Patrol does something to the store that makes it so that AnyConnect can no longer use it?
In case it matters, I’m on Ubuntu 10.04.
Whatever the cause, you can fix it by doing the following:
- Figure out the CA that signs your VPN server’s certificate. (Hat tip to Didier Stevens for the easy way to do this.)
- Fill in your server, I’m going to use www.google.com.
- openssl s_client -connect www.google.com:443 >! /tmp/google
- Hit ctrl-C.
- You saw “Thawte Consulting (Pty) Ltd.”.
- Now search for “thawte root certificate”. (Obviously this will vary depending on who signs your server’s certificate.)
- Go to the page where they list certificates. Download them all. (I tried downloading the one that looked like it matched the signature on my server’s certificate, but I think you need everything down to the root in order to fully verify it. It’s easier to just download everything than try to figure out exactly which ones are needed.)
- Convert to PEM format. (Hat tip to Mozekoze for this recipe.)
- openssl x509 -in input.crt -out input.der -outform DER ## (if the certs are in .crt format)
- openssl x509 -in input.der -inform DER -out output.pem -outform PEM
- Copy all the PEM files to /opt/.cisco/certificates/ca. (Or to ~/.cisco/certificates/ca.)
Alternatively, you could copy the certs out of the keystore on your machine, convert to PEM, and then copy the PEMs into the directory mentioned above. (On ubuntu, you can see the certificates in the package ca-certificates. You could copy just the thawte certs by doing something like “cp $(dpkg -L ca-certificates | grep -i thawte) /tmp/certificate-conversion/”.)
Three cheers for wireshark, strace, openssl, and google for help figuring out what was going on. Cisco could make things a little bit easier to figure out — a decent diagnostic message would have been great — just tell the user “Unknown CA”, it’s already buried in the wireshark trace.
i am usin 11.10, got same error, i dont know where to put my CA, there is no such folders like u stated above. i have /opt/cisco/vpn and few folders up there but not one for certificates..any suggestions?
@Jarek: Have you tried *creating* ~/.cisco/certificates/ca ?
will try now, but where?
1) /opt/cisco/vpn/certificates/ca ?
2) /home/.cisco/certificates/ca ? (i have no.cisco in home folder *even hidden
3) /opt/cisco/certificates/ca ?
The ~ means your home directory. I.e. you can run the command “mkdir -p ~/.cisco/certificates/ca” and it will create “/home/jarek/.cisco/certificates/ca” (assuming your home directory is /home/jarek/).
Or you can “mkdir -p /opt/.cisco/certificates/ca” and copy the files there.
thx 4 help,
ive created and made a copy to folders but its still the same..i hate it already
btw , is there any way to let anyconnect cisco connect with a profile from PCF file?
Sorry, all I can suggest at this point is what I did: spend some time staring at strace and wireshark output…
i will try to work it somehow..thx for tryin to help me:)