Yesterday a new problem arrived. This time was a certificate problem brought by our VPN web page and the Pulse Secure client. Instead of connecting to the VPN through Firefox I wanted to do it by using Pulse Secure. My original post is in the Pulse Secure community.

The logs of Pulse Secure showed this error:

20180821171918.183883 pulsesvc[p3384.t3388] dsssl.error verify_server_cert_callback : Certificate Verification Failed : error:unable to get local issuer certificate depth:0 errorno:20 (DSSSLSock.cpp:1588)

Clearly the application is unable to validate the certificate.

We can use openssl to replicate the problem:

openssl s_client -connect XXX.XXX.XXX:443

subject=/C=XX/ST=XXXXX (our certificate)
issuer=/C=US/O=DigiCert Inc/CN=DigiCert GLobal CA G2

verify error:num=20:unable to get local issuer certificate
verify error:num=21:unable to verify the first certificate
verify return:1

This tell us that Pulse Secure and openssl aren’t able to find the issuer certificate. Our issuer is DigiCert GLobal CA G2 as showed in the openssl output above.

After copying the text certificate from TBS-Certificates I created a new file (DigiCertCAG2.crt and pasted the content in it).

Then I used openssl to pass the lacking certificate as a parameter and it worked:

openssl s_client -connect -CAfile DigiCertCAG2.pem
Verify return code: 21 (ok)

Fixing the missing certificate for OpenSSL and PulseSecure

The certificate stores are located in:
  • RHEL/CentOS/Fedora /etc/pki/tls/certs/ca-bundle.crt
  • Ubuntu/Debian /etc/ssl/certs/ca-certificates.crt
Openssl will look up for the certificate in /etc/ssl/certs/. Installing certificates there is quite easy, I’ve found this blog in Chinese explaining the procedure, but remember, certificates must end with .crt extension
sudo mkdir /usr/share/ca-certificates/extra
sudo cp <YOUR_CERTIFICATE>.crt /usr/share/ca-certificates/extra/
sudo dpkg-reconfigure ca-certificates

This just takes the content of our certificate (DigiCertCAG2.crt) and appends it to /etc/ssl/certs/ca-certificates.crt

When using Openssl or Pulse Secure the problem won’t appear anymore.