12

When I try to connect using the Cisco AnyConnect VPN Client, I receive this error:

Connection attempt has failed due to server certificate problem.

Connection attempt has failed due to server certificate problem.

I happened to have this problem in my previous Ubuntu 11.10 installation. That time I could fix it using some tutorials on the internet (I don't remember which one). Basically, they suggested installing 4-5 packages and then some ln -s. But this time none of them are working. Can anyone help me step by step?

ændrük
  • 78,726
Mohammad Moghimi
  • 2,211

7 Answers7

12

The following fix worked for me - fresh install of 12.04 LTS 32bit (with Firefox 12). Installed the AnyConnect client, then tried to run it.

Got this message:

AnyConnect cannot confirm it is connected to your secure gateway. The local network may not be trustworthy. Please try another network.

Checked syslog in Ubuntu. Lots of this sort of stuff:

CERTSTORE_ERROR_CERT_NOT_FOUND The /opt/.cisco/certificates/ca/ directory was not found

Created /.cisco/certificates/ca directories in /opt using sudo

cd /opt
sudo mkdir .cisco
cd .cisco/
sudo mkdir certificates
cd certificates/
sudo mkdir ca

We use Globalsign as our certificate authority. So I just copied all the Globalsign .pem files from /etc/ssl/certs. If you don't know your provider, you could just copy everything.

sudo cp /etc/ssl/certs/Global* /opt/.cisco/certificates/ca

or if CA is unknown

sudo cp /etc/ssl/certs/cd /etc/ssl/cert/* /opt/.cisco/certificates/ca

I was able to start the AnyConnect client and connect to the VPN

Hope this helps.

jokerdino
  • 41,762
Tom Steeves
  • 121
  • 2
    ln -s /etc/ssl/certs ~/.cisco/certificates/ca works as well –  May 16 '12 at 05:16
  • Thanks, that worked for me. However, I think the command for copying everything should be sudo cp /etc/ssl/certs/Global* /opt/.cisco/certificates/ca –  Jun 29 '12 at 11:35
  • 2
    The solution worked for me.

    I don't know if any of the detail here makes an impact. I just list additional details that worked for me.

    The directory /opt/.cisco/certificates/ca already existed. So, I used Google Chrome to go to VPN server. Clicked on its certificate and exported root certificate with "Base64-encoded ASCII, single certificate" option. I saved the file with PEM extension. VPN client picked the change without need for restart.

     – Sergei G May 18 '16 at 20:36
7

I can confirm that this problem exists. Anyconnect client worked fine with 11.10 but stops working with 12.04. Old trick with links to firefox libraries does not work anymore. I end up using OpenConnect.

Installation: http://www.humans-enabled.com/2011/06/how-to-connect-ubuntu-linux-to-cisco.html Routing: http://www.redips.net/linux/vpn-client-and-routing-2/

More details on Cisco Anyconnect problem:

As you can see from log: user was able to login, but Anyconnect client still failed to establish vpn connection.

Cisco AnyConnect VPN Client (version 2.5.3055) .

state: Connecting
notice: Establishing VPN session...
notice: Checking for profile updates...
notice: Checking for product updates...
notice: Checking for customization updates...
notice: Checking for localization updates...
state: Connecting
notice: Establishing VPN session...
notice: Establishing VPN - Initiating connection...
state: Disconnecting
notice: Disconnect in progress, please wait...
state: Disconnected
notice: VPN session ended.
error: The certificate on the secure gateway is invalid. A VPN connection will not be established.

error: AnyConnect was not able to establish a connection to the specified secure gateway. Please try connecting again.
notice: Connection attempt has failed.
state: Disconnected
Alice Team
  • 94
4

Copying the certificates did not work, but a combination of the two ended up working for me:

cd /etc/ssl/certs/cd
sudo ln -s /etc/ssl/certs/Global* .

Then ...

sudo apt-get install firefox 
cd /opt/cisco/vpn/lib
sudo ln -s /usr/lib/firefox/lib*.so .

... and bingo. I can log into work now :)

Mateo
  • 8,152
Martin
  • 41
3

This is how I did it.

cd /opt
sudo mkdir .cisco
cd .cisco/
sudo mkdir certificates
cd certificates/
sudo mkdir ca

I then found out which certificate authority we use, which was COMODO, found a site that uses this CA, downloaded it with a browser and put it into the 

/opt/.cisco/certificates/ca/ directory

voila!

Jorge Castro
  • 73,907
James Eaton
  • 31
2

I tried these solutions listed above and none of them helped. But when I tried some of these solutions below having to do with the firefox libraries, I had success!

Override certificate error in Cisco AnyConnect Client on Ubuntu 12.04 64 bit

Cisco AnyConnect in 64bit Ubuntu Linux

I can't say which is the BEST solution, but I followed the directions on both of these sites and had success. Perhaps you can find a solution that works for you. If you know which one is the best, please let us know which variable solved the problem immediately. All I know is that after making some of these changes, I finally got my Cisco Anyconnect VPN working. I am Firefox on Ubuntu 12.04.

Marnie
  • 21
-1

Problem solved on Ubuntu 12.04 64 bits. see here: http://www.oit.uci.edu/security/vpn/vpn-lin.html

user180319
  • 1
-3

Make sure that you have Firefox installed and are able to successfully launch it. If all is successful, there are a few other troubleshooting steps to try.

Cisco AnyConnect
  • 1