The Daily Build

Fixing Certificate Errors with Cisco AnyConnect

"AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network."

There may be several reasons for this error, which you'll find on other pages that hit for a search on this string.

The reason that I encountered seems to be unique. What I found by digging into a wireshark capture is that AnyConnect sends a TLS alert to the server, disconnecting the session. The alert message says "Unknown CA".

It could have something to do with installing the firefox plugin "Certificate Patrol" recently. AnyConnect apparently uses firefox's certificate store. Perhaps Certificate Patrol does something to the store that makes it so that AnyConnect can no longer use it?

In case it matters, I'm on Ubuntu 10.04.

Whatever the cause, you can fix it by doing the following (Edit: see also a simpler method in a comment by Nathan below):

  1. Figure out the CA that signs your VPN server's certificate. (Hat tip to Didier Stevens for the easy way to do this.)

    1. Fill in your server, I'm going to use www.google.com.
    2. openssl s_client -connect www.google.com:443 >! /tmp/google
    3. Hit ctrl-C.
    4. You saw "Thawte Consulting (Pty) Ltd.".

  2. Now search for "thawte root certificate". (Obviously this will vary depending on who signs your server's certificate.)

  3. Go to the page where they list certificates. Download them all. (I tried downloading the one that looked like it matched the signature on my server's certificate, but I think you need everything down to the root in order to fully verify it. It's easier to just download everything than try to figure out exactly which ones are needed.)

  4. Convert to PEM format. (Hat tip to Mozekoze for this recipe.)

    1. openssl x509 -in input.crt -out input.der -outform DER ## (if the certs are in .crt format)
    2. openssl x509 -in input.der -inform DER -out output.pem -outform PEM

  5. Copy all the PEM files to /opt/.cisco/certificates/ca. (Or to ~/.cisco/certificates/ca.)

Alternatively, you could copy the certs out of the keystore on your machine, convert to PEM, and then copy the PEMs into the directory mentioned above. (On ubuntu, you can see the certificates in the package ca-certificates. You could copy just the thawte certs by doing something like cp $(dpkg -L ca-certificates | grep -i thawte) /tmp/certificate-conversion/.)

Three cheers for wireshark, strace, openssl, and google for help figuring out what was going on. Cisco could make things a little bit easier to figure out -- a decent diagnostic message would have been great -- just tell the user "Unknown CA", it's already buried in the wireshark trace.

Posted on 2011-11-06 by brian in linux .

Comments

i am usin 11.10, got same error, i dont know where to put my CA, there is no such folders like u stated above. i have /opt/cisco/vpn and few folders up there but not one for certificates..any suggestions? :)

Jarek
2011-12-22 21:25:33

@Jarek: Have you tried creating ~/.cisco/certificates/ca ?

Brian St. Pierre
2011-12-22 21:28:14

will try now, but where?

1) /opt/cisco/vpn/certificates/ca ? 2) /home/.cisco/certificates/ca ? (i have no.cisco in home folder *even hidden 3) /opt/cisco/certificates/ca ?

Jarek
2011-12-22 21:37:30

The ~ means your home directory. I.e. you can run the command "mkdir -p ~/.cisco/certificates/ca" and it will create "/home/jarek/.cisco/certificates/ca" (assuming your home directory is /home/jarek/).

Or you can "mkdir -p /opt/.cisco/certificates/ca" and copy the files there.

Brian St. Pierre
2011-12-22 21:39:49

thx 4 help, ive created and made a copy to folders but its still the same..i hate it already :)

Jarek
2011-12-22 21:46:30

btw , is there any way to let anyconnect cisco connect with a profile from PCF file?

Jarek
2011-12-22 21:48:32

Sorry, all I can suggest at this point is what I did: spend some time staring at strace and wireshark output...

Brian St. Pierre
2011-12-22 21:50:22

i will try to work it somehow..thx for tryin to help me:)

Jarek
2011-12-22 21:52:32

Thanks for putting up these notes Brian. I had this same problem (Ubuntu 10.04, AnyConnect 2.5 and 3.0 clients). To make it simpler, I just did 3 steps:

  1. Get the actual certificate name:

    openssl s_client -connect example.com:443 |& sed -n '/^issuer=/s/.*CN=//p'

  2. Launch Firefox (using 12), go to Preferences -> Advanced -> View Certificates. Scroll down till you see the exact name step 1 printed. Select that cert, then hit Export and save with .pem extension.

  3. sudo cp YourExported.pem /opt/.cisco/certificates/ca/

Nathan
2012-04-27 15:23:11

@Jarek: Try updating to the 3.0 cisco client. Strace on my 2.5 client showed it never queried any certificates dir.

Nathan
2012-04-27 15:25:38

@Nathan: Thanks for the simplified version. I edited the post to point out your comment.

Brian St. Pierre
2012-04-27 15:28:46

thank U, gonna check it:)

Jarek
2012-04-27 16:38:40

Unfortunately, a) I forgot to add -f to my 2.5 client strace, so that may be a completely useless suggestion, and b) while I've fixed the initial connection (allowing you to type in your credentials) the secondary connection still doesn't work "bad certificate". Wireshark shows the cisco client is rejecting exactly the same certificate I added. Grabbing the cert from the URL listed in the certificate itself (seen from Wireshark) gives me the same certificate.

So, the client starts to TLS1 sessions, the server gives the same cert each time but for the 2nd session only the cert is rejected.

Stumped. :(

Nathan
2012-04-27 16:45:39

You 2 are friggin geniuses! Works like a champ! Thank you!

MasterOfTheHat
2012-05-02 01:59:58

The following fix worked for me - fresh install of 12.04 LTS 32bit (with FFox 12). Installed the AnyConnect client, then tried to run it.

Got the "AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network." message

Checked syslog in Ubuntu. Lots of this sort of stuff: CERTSTORE_ERROR_CERT_NOT_FOUND The /opt/.cisco/certificates/ca/ directory was not found

Created /.cisco/certificates/ca directories in /opt using sudo

cd /opt
sudo mkdir .cisco
cd .cisco/
sudo mkdir certificates
cd certificates/
sudo mkdir ca

We use Globalsign as our certificate authority, so I just copied all the Globalsign .pem files from /etc/ssl/certs. If you don't know your provider, you could just copy everything.

sudo cp /etc/ssl/certs/Global* /opt/.cisco/certificates/ca

or if CA is unknown

sudo cp /etc/ssl/certs/cd /etc/ssl/cert/* /opt/.cisco/certificates/ca

I was able to start the AnyConnect client and connect to the VPN

Hope this helps - good luck

Tom
2012-05-09 21:11:28

@Tom - 9th May 2012

Nice one - this worked perfectly for me on 11.10 - I just copied all the certificates.

Steve
2012-05-17 08:18:57

Thanks Tom! That worked for me (also on 12.04 and FF12)

Kevin
2012-05-30 17:43:08

Thanks so much. I created soft symbolic links to all of the files in /etc/ssl/certs/ to /opt/.cisco/certificates/ca/ and now Cisco AnyConnect works again (Kubuntu 10.04).

Cheers for posting your solution :¬)

JD
2012-05-31 19:42:07

Thanks for this thread after finding Cisco AnyConnect VPN Client failing no matter where I connected (exactly as described at the top of the thread; it was working until approx. March 2012). I followed JD exactly and Cisco then worked immediately (Ubuntu 10.04).

RC
2012-06-11 21:16:01

I followed all these instructions and I still am getting certificate validation issues causing the gateway is not trustworthy in 12.04 (i386). Interesting side note is I can connect to my lab ASA just fine.

Any more ideas? I have stripped it all out reinstalled, copied the .pem to /opt/.cisco/certificates/ca files etc...

I would rather not do a fresh install as I like the challenge of troubleshooting, but this one has me banging my head.

DR
2012-07-03 13:37:33

@DR: Have you run the client with strace? Did you double-check the final path to the pem files, ownership, and permissions on /opt/.cisco...?

Brian St. Pierre
2012-07-03 15:29:56

Once the directory /opt/.cisco/certificates/ca is made, I used this:

sudo cp /etc/ssl/certs/* /opt/.cisco/certificates/ca

It worked (Linux Mint 13)

Dan
2012-07-10 09:18:41

Thanks Dan! Your suggestion worked for me!

Nick
2012-07-26 09:43:17

Dan's suggestion worked for me too (Ubuntu 12.04-64 bits). Thanks!

@bandaangosta

bandaangosta
2012-08-10 23:51:34

Thanks Dan it worked for me ubuntu 12.04

pnathg
2012-08-14 03:55:48

Tom/Dan,

I seriously owe you guys a six-pack of beer...

Thank you!

Greg
2012-08-18 17:00:22

Here's another simple fix that worked for me on 10.04:

sudo mv /opt/.cisco/certificates/ca /opt/.cisco/certificates/ca.orig && sudo ln -s /etc/ssl/certs /opt/.cisco/certificates/ca

Cory
2012-08-26 17:52:20

Props, everything works now. Even though checking the SSL certificate said "Thawte SSL CA", I needed to copy all the CAs from /etc/ssl/certs to get it to work.

Jesse
2012-09-07 23:04:46
Comments on this post are closed. If you have something to share, please send me email.