LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Where does the cisco anyconnect client load it's certificates? (http://www.linuxquestions.org/questions/linux-networking-3/where-does-the-cisco-anyconnect-client-load-its-certificates-923466/)

markraves 01-12-2012 11:57 AM

Where does the cisco anyconnect client load it's certificates?
 
Hello,
I've recently updated an ASA vpn concentrator at work. I've renewed the ssl certificates, nothing else.

Then, when I'm at my workstation or laptop, both running ubuntux64, The vpn client tells me that the remote gateway cannot be trusted.
Very ssl like this, so I tried to connect a third laptop, also running ubuntux64, and it connected like a charm. The only differences between the computers is that I've never connected the third to my work vpn gateway before.
So, I get that it's something wrong with some local files on my two other computers.

I tried to run the uninstall script found in /opt/cisco/..
And afterwards removed the whole /opt/cisco.

Tried reinstalling the client, but that didn't help. Exactly the same error message.

So, I think the problem is taht the anyconnet client stashes some certificates locally, and then instead of reading what's on the server, it uses the old certificates?

I have been unable to locate where exactly this happens. Does anyone have an idea about this? In my home dir, there is nothing but a preferences .xml in an anyconnect folder, no clue to what's wrong.

Out of the logs, it seems there is an issue server-side, but my 'unused' ubuntu works, windows workstations work I'm told, so the problem must reside client-side?

Pasting some essential logs as well:

Code:

Jan 11 16:10:29 workstation vpnui[15567]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Jan 11 16:10:29 workstation vpnui[15567]: Function: getProfileNameFromHost File: ProfileMgr.cpp Line: 711 No profile available for host office-vpn.mycompany.org.
Jan 11 16:10:29 workstation vpnui[15567]: Function: getHostInitSettings File: ProfileMgr.cpp Line: 791 Profile () not found. Using default settings.
Jan 11 16:10:29 workstation vpnui[15567]: Message type information sent to the user: Contacting https://office-vpn.mycompany.org.
Jan 11 16:10:29 workstation vpnui[15567]: Function: loadProfiles File: ProfileMgr.cpp Line: 112 No profile is available.
Jan 11 16:10:29 workstation vpnui[15567]: Function: getProfileNameFromHost File: ProfileMgr.cpp Line: 711 No profile available for host office-vpn.mycompany.org.
Jan 11 16:10:29 workstation vpnui[15567]: Using default preferences. Some settings (e.g. certificate matching) may not function as expected if a local profile is expected to be used. Verify that the selected host is in the server list section of the profile and that the profile is configured on the secure gateway.
Jan 11 16:10:29 workstation vpnui[15567]: Function: getProfileNameFromHost File: ProfileMgr.cpp Line: 711 No profile available for host office-vpn.mycompany.org.
Jan 11 16:10:29 workstation vpnui[15567]: Function: getHostInitSettings File: ProfileMgr.cpp Line: 791 Profile () not found. Using default settings.
Jan 11 16:10:29 workstation vpnui[15567]: Function: enumerateCert File: Certificates/FileCertStore.cpp Line: 162 Invoked Function: enumerateCert Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND The /home/myusername/.cisco/certificates/client/ directory was not found.
Jan 11 16:10:29 workstation vpnui[15567]: Function: Enumerate File: Certificates/FileCertStore.cpp Line: 123 Invoked Function: Enumerate Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND
Jan 11 16:10:29 workstation vpnui[15567]: Function: enumerateCert File: Certificates/FileCertStore.cpp Line: 162 Invoked Function: enumerateCert Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND The /opt/.cisco/certificates/client/ directory was not found.
Jan 11 16:10:29 workstation vpnui[15567]: Function: Enumerate File: Certificates/FileCertStore.cpp Line: 123 Invoked Function: Enumerate Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND
Jan 11 16:10:29 workstation vpnui[15567]: Function: getCertList File: ApiCert.cpp Line: 257 Number of certificates found: 0
Jan 11 16:10:29 workstation vpnui[15567]: Initiating VPN connection to the secure gateway https://office-vpn.mycompany.org
Jan 11 16:10:29 workstation vpnui[15567]: Function: getUserName File: CTransportCurlStatic.cpp Line: 1917 PasswordEntry username is myusername
Jan 11 16:10:29 workstation vpnui[15567]: Function: InitNSS File: Certificates/NSSCertUtils.cpp Line: 399 Invoked Function: getProfilePath Return Code: -31391741 (0xFE210003) Description: CERTSTORE_ERROR_BAD_HANDLE
Jan 11 16:10:29 workstation vpnui[15567]: Function: CNSSCertStore File: Certificates/NSSCertStore.cpp Line: 72 Invoked Function: CNSSCertUtils::InitNSS Return Code: -31391741 (0xFE210003) Description: CERTSTORE_ERROR_BAD_HANDLE
Jan 11 16:10:29 workstation vpnui[15567]: Function: addNSSStore File: Certificates/CollectiveCertStore.cpp Line: 995 Invoked Function: CNSSCertStore::CNSSCertStore Return Code: -31391741 (0xFE210003) Description: CERTSTORE_ERROR_BAD_HANDLE
Jan 11 16:10:29 workstation vpnui[15567]: Function: OpenStores File: Certificates/CollectiveCertStore.cpp Line: 248 Invoked Function: CCollectiveCertStore::addNSSStore Return Code: -31391741 (0xFE210003) Description: CERTSTORE_ERROR_BAD_HANDLE
Jan 11 16:10:29 workstation vpnui[15567]: Function: enumerateCert File: Certificates/FileCertStore.cpp Line: 162 Invoked Function: enumerateCert Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND The /home/myusername/.cisco/certificates/ca/ directory was not found.
Jan 11 16:10:29 workstation vpnui[15567]: Function: Verify File: Certificates/FileCertificate.cpp Line: 347 Invoked Function: X509_verify_cert Return Code: 20 (0x00000014) Description: unknown unable to get local issuer certificate
Jan 11 16:10:29 workstation vpnui[15567]: Function: VerifyServerCertificate File: Certificates/FileCertStore.cpp Line: 654 Invoked Function: CFileCertificate::Verify Return Code: -31326191 (0xFE220011) Description: CERTIFICATE_ERROR_VERIFY_CHAIN_POLICY_FAILED
Jan 11 16:10:29 workstation vpnui[15567]: Function: enumerateCert File: Certificates/FileCertStore.cpp Line: 162 Invoked Function: enumerateCert Return Code: -31391730 (0xFE21000E) Description: CERTSTORE_ERROR_CERT_NOT_FOUND The /opt/.cisco/certificates/ca/ directory was not found.
Jan 11 16:10:29 workstation vpnui[15567]: Function: Verify File: Certificates/FileCertificate.cpp Line: 347 Invoked Function: X509_verify_cert Return Code: 20 (0x00000014) Description: unknown unable to get local issuer certificate
Jan 11 16:10:29 workstation vpnui[15567]: Function: VerifyServerCertificate File: Certificates/FileCertStore.cpp Line: 654 Invoked Function: CFileCertificate::Verify Return Code: -31326191 (0xFE220011) Description: CERTIFICATE_ERROR_VERIFY_CHAIN_POLICY_FAILED
Jan 11 16:10:29 workstation vpnui[15567]: Function: VerifyServerCertificate File: Certificates/CertHelper.cpp Line: 167 Invoked Function: CCertStore::VerifyServerCertificate Return Code: -31326191 (0xFE220011) Description: CERTIFICATE_ERROR_VERIFY_CHAIN_POLICY_FAILED
Jan 11 16:10:29 workstation vpnui[15567]: Function: sendRequest File: ConnectIfc.cpp Line: 2770 Invoked Function: CTransport::SendRequest Return Code: -29949919 (0xFE370021) Description: CTRANSPORT_ERROR_PEER_CERT_REJECTED
Jan 11 16:10:29 workstation vpnui[15567]: Function: connect File: ConnectIfc.cpp Line: 410 Invoked Function: ConnectIfc::sendRequest Return Code: -29949919 (0xFE370021) Description: CTRANSPORT_ERROR_PEER_CERT_REJECTED
Jan 11 16:10:29 workstation vpnui[15567]: Function: TranslateStatusCode File: ConnectIfc.cpp Line: 2618 Invoked Function: TranslateStatusCode Return Code: -29949919 (0xFE370021) Description: CTRANSPORT_ERROR_PEER_CERT_REJECTED AnyConnect cannot confirm it is connected to your secure gateway.  The local network may not be trustworthy.  Please try another network.
Jan 11 16:10:29 workstation vpnui[15567]: Function: doConnectIfcConnect File: ConnectMgr.cpp Line: 1399 Invoked Function: ConnectIfc::connect Return Code: -29949919 (0xFE370021) Description: CTRANSPORT_ERROR_PEER_CERT_REJECTED
Jan 11 16:10:29 workstation vpnui[15567]: Message type warning sent to the user: Connection attempt has failed.
Jan 11 16:10:29 workstation vpnui[15567]: Function: processIfcData File: ConnectMgr.cpp Line: 1674 Content type (unknown) received. Response type (server cert error) from office-vpn.mycompany.org:
Jan 11 16:10:29 workstation vpnui[15567]: Message type error sent to the user: AnyConnect cannot confirm it is connected to your secure gateway.  The local network may not be trustworthy.  Please try another network.


onebuck 01-14-2012 11:58 AM

Moderator response
 
Moved: This thread is more suitable in <Linux-Networking> and has been moved accordingly to help your thread/question get the exposure it deserves.

markraves 02-08-2012 12:12 AM

bump anyone?


All times are GMT -5. The time now is 05:16 AM.