Yesterday a new problem arrived. This time was a certificate problem brought by our VPN web page and the Pulse Secure client. Instead of connecting to the VPN through Firefox I wanted to do it by using Pulse Secure. My original post is in the Pulse Secure community.
The logs of Pulse Secure showed this error:
20180821171918.183883 pulsesvc[p3384.t3388] dsssl.error verify_server_cert_callback : Certificate Verification Failed : error:unable to get local issuer certificate depth:0 errorno:20 (DSSSLSock.cpp:1588)
Clearly the application is unable to validate the certificate.
We can use openssl to replicate the problem:
openssl s_client -connect XXX.XXX.XXX:443 subject=/C=XX/ST=XXXXX (our certificate) issuer=/C=US/O=DigiCert Inc/CN=DigiCert GLobal CA G2 verify error:num=20:unable to get local issuer certificate verify error:num=21:unable to verify the first certificate verify return:1
This tell us that Pulse Secure and openssl aren’t able to find the issuer certificate. Our issuer is DigiCert GLobal CA G2 as showed in the openssl output above.
After copying the text certificate from TBS-Certificates I created a new file (DigiCertCAG2.crt and pasted the content in it).
Then I used openssl to pass the lacking certificate as a parameter and it worked:
openssl s_client -connect 220.127.116.11:443 -CAfile DigiCertCAG2.pem Verify return code: 21 (ok)
Fixing the missing certificate for OpenSSL and PulseSecure
- RHEL/CentOS/Fedora /etc/pki/tls/certs/ca-bundle.crt
- Ubuntu/Debian /etc/ssl/certs/ca-certificates.crt
sudo mkdir /usr/share/ca-certificates/extra sudo cp <YOUR_CERTIFICATE>.crt /usr/share/ca-certificates/extra/ sudo dpkg-reconfigure ca-certificates
This just takes the content of our certificate (DigiCertCAG2.crt) and appends it to /etc/ssl/certs/ca-certificates.crt
When using Openssl or Pulse Secure the problem won’t appear anymore.