Nov 6, 2011
Fixing Certificate Errors with Cisco AnyConnect
“AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network.”
There may be several reasons for this error, which you’ll find on other pages that hit for a search on this string.
The reason that I encountered seems to be unique. What I found by digging into a wireshark capture is that AnyConnect sends a TLS alert to the server, disconnecting the session. The alert message says “Unknown CA”.
It could have something to do with installing the firefox plugin “Certificate Patrol” recently. AnyConnect apparently uses firefox’s certificate store. Perhaps Certificate Patrol does something to the store that makes it so that AnyConnect can no longer use it?
In case it matters, I’m on Ubuntu 10.04.
Whatever the cause, you can fix it by doing the following (Edit: see also a simpler method in a comment by Nathan below):
- Figure out the CA that signs your VPN server’s certificate. (Hat tip to Didier Stevens for the easy way to do this.)
- Fill in your server, I’m going to use www.google.com.
- openssl s_client -connect www.google.com:443 >! /tmp/google
- Hit ctrl-C.
- You saw “Thawte Consulting (Pty) Ltd.”.
- Now search for “thawte root certificate”. (Obviously this will vary depending on who signs your server’s certificate.)
- Go to the page where they list certificates. Download them all. (I tried downloading the one that looked like it matched the signature on my server’s certificate, but I think you need everything down to the root in order to fully verify it. It’s easier to just download everything than try to figure out exactly which ones are needed.)
- Convert to PEM format. (Hat tip to Mozekoze for this recipe.)
- openssl x509 -in input.crt -out input.der -outform DER ## (if the certs are in .crt format)
- openssl x509 -in input.der -inform DER -out output.pem -outform PEM
- Copy all the PEM files to /opt/.cisco/certificates/ca. (Or to ~/.cisco/certificates/ca.)
Alternatively, you could copy the certs out of the keystore on your machine, convert to PEM, and then copy the PEMs into the directory mentioned above. (On ubuntu, you can see the certificates in the package ca-certificates. You could copy just the thawte certs by doing something like “cp $(dpkg -L ca-certificates | grep -i thawte) /tmp/certificate-conversion/”.)
Three cheers for wireshark, strace, openssl, and google for help figuring out what was going on. Cisco could make things a little bit easier to figure out — a decent diagnostic message would have been great — just tell the user “Unknown CA”, it’s already buried in the wireshark trace.
i am usin 11.10, got same error, i dont know where to put my CA, there is no such folders like u stated above. i have /opt/cisco/vpn and few folders up there but not one for certificates..any suggestions?
@Jarek: Have you tried *creating* ~/.cisco/certificates/ca ?
will try now, but where?
1) /opt/cisco/vpn/certificates/ca ?
2) /home/.cisco/certificates/ca ? (i have no.cisco in home folder *even hidden
3) /opt/cisco/certificates/ca ?
The ~ means your home directory. I.e. you can run the command “mkdir -p ~/.cisco/certificates/ca” and it will create “/home/jarek/.cisco/certificates/ca” (assuming your home directory is /home/jarek/).
Or you can “mkdir -p /opt/.cisco/certificates/ca” and copy the files there.
thx 4 help,
ive created and made a copy to folders but its still the same..i hate it already
btw , is there any way to let anyconnect cisco connect with a profile from PCF file?
Sorry, all I can suggest at this point is what I did: spend some time staring at strace and wireshark output…
i will try to work it somehow..thx for tryin to help me:)
Thanks for putting up these notes Brian. I had this same problem (Ubuntu 10.04, AnyConnect 2.5 and 3.0 clients).
To make it simpler, I just did 3 steps:
1. Get the actual certificate name:
openssl s_client -connect example.com:443 |& sed -n ‘/^issuer=/s/.*CN=//p’
2. Launch Firefox (using 12), go to Preferences -> Advanced -> View Certificates. Scroll down till you see the exact name step 1 printed. Select that cert, then hit Export and save with .pem extension.
3. sudo cp YourExported.pem /opt/.cisco/certificates/ca/
@Jarek: Try updating to the 3.0 cisco client. Strace on my 2.5 client showed it never queried *any* certificates dir.
@Nathan: Thanks for the simplified version. I edited the post to point out your comment.
thank U, gonna check it:)
Unfortunately, a) I forgot to add -f to my 2.5 client strace, so that may be a completely useless suggestion, and b) while I’ve fixed the *initial* connection (allowing you to type in your credentials) the secondary connection still doesn’t work “bad certificate”. Wireshark shows the cisco client is rejecting exactly the same certificate I added. Grabbing the cert from the URL listed in the certificate itself (seen from Wireshark) gives me the same certificate.
So, the client starts to TLS1 sessions, the server gives the same cert each time but for the 2nd session only the cert is rejected.
Stumped.
You 2 are friggin geniuses! Works like a champ! Thank you!
The following fix worked for me – fresh install of 12.04 LTS 32bit (with FFox 12). Installed the AnyConnect client, then tried to run it.
Got the “AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network.” message
Checked syslog in Ubuntu. Lots of this sort of stuff: CERTSTORE_ERROR_CERT_NOT_FOUND The /opt/.cisco/certificates/ca/ directory was not found
Created /.cisco/certificates/ca directories in /opt using sudo
cd /opt
sudo mkdir .cisco
cd .cisco/
sudo mkdir certificates
cd certificates/
sudo mkdir ca
We use Globalsign as our certificate authority, so I just copied all the Globalsign .pem files from /etc/ssl/certs. If you don’t know your provider, you could just copy everything.
sudo cp /etc/ssl/certs/Global* /opt/.cisco/certificates/ca
or if CA is unknown
sudo cp /etc/ssl/certs/cd /etc/ssl/cert/* /opt/.cisco/certificates/ca
I was able to start the AnyConnect client and connect to the VPN
Hope this helps – good luck
@Tom – 9th May 2012
Nice one – this worked perfectly for me on 11.10 – I just copied all the certificates.