0.9.8 trusted-cert ignored

Question

0.9.8 trusted-cert ignored

Opened this issue 2 years ago · 1 comments

In mentioned version connection attempt fails with following errors (sensitive info replaced with xxxxx). Then it seems it tries to reconnect, fails again, and it keep doing that in a loop.

Dec 9 10:58:08 INFO:   Start tunnel.
Dec 9 10:58:08 ERROR:  Gateway certificate validation failed, and the certificate digest is not in the local whitelist. If you trust it, rerun with:
ERROR:      --trusted-cert b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ERROR:  or add this line to your configuration file:
ERROR:      trusted-cert = b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ERROR:  Gateway certificate:
ERROR:      subject:
ERROR:          CN=xxxxxxxx
ERROR:      issuer:
ERROR:          C=xxxx
ERROR:          L=xxxx
ERROR:          O=xxxx
ERROR:          CN=xxxx
ERROR:      sha256 digest:
ERROR:          b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
INFO:   Closed connection to gateway.
ERROR:  Gateway certificate validation failed, and the certificate digest is not in the local whitelist. If you trust it, rerun with:
ERROR:      --trusted-cert b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ERROR:  or add this line to your configuration file:
ERROR:      trusted-cert = b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ERROR:  Gateway certificate:
ERROR:      subject:
ERROR:          CN=xxxxxxx
ERROR:      issuer:
ERROR:          C=xxxx
ERROR:          L=xxxx
ERROR:          O=xxxx
ERROR:          CN=xxxx
ERROR:      sha256 digest:
ERROR:          b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
INFO:   Could not log out.

Here's an output from ~/.openfortigui/logs/openfortigui.log

Dec 9 11:17:44 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:44 openfortiGUI::Debug: MainWindow::refreshVpnProfileList() -> vpnprofiles found:: "VPN"
Dec 9 11:17:47 openfortiGUI::Debug: active-tab:: 0
Dec 9 11:17:47 openfortiGUI::Debug: start vpn: "VPN" active-tab:: 0
Dec 9 11:17:47 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:47 openfortiGUI::Debug: Start vpn:: "VPN"
Dec 9 11:17:47 openfortiGUI::Debug: add logger "/home/user/.openfortigui/main.conf"
Dec 9 11:17:47 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:47 openfortiGUI::Debug: vpnManager::onClientConnected()
Dec 9 11:17:47 openfortiGUI::Debug: client api helo command:: 0 ::name:: "VPN"
Dec 9 11:17:47 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:47 openfortiGUI::Debug: vpnClientConnection::sendCMD:: "VPN" :: 8
Dec 9 11:17:48 openfortiGUI::Debug: 1670577468816 bytes avail:: 22
Dec 9 11:17:49 openfortiGUI::Debug: 1670577469033 bytes avail:: 1447
Dec 9 11:17:49 openfortiGUI::Debug: certificatefailedrequest from vpnmanager
Dec 9 11:17:49 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:49 openfortiGUI::Debug: client disconnected:: "VPN"
Dec 9 11:17:49 openfortiGUI::Debug: vpnManager::onClientVPNStatusChanged() "VPN" status 0
Dec 9 11:17:49 openfortiGUI::Debug: MainWindow::onClientVPNStatusChanged:: "VPN" ::status:: 0
Dec 9 11:17:49 openfortiGUI::Debug: VPN process  "VPN"  error occurred!
Dec 9 11:17:49 openfortiGUI::Debug: VPN process  "VPN"  finished!
Dec 9 11:17:50 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:50 openfortiGUI::Debug: MainWindow::refreshVpnProfileList() -> vpnprofiles found:: "VPN"
Dec 9 11:18:23 openfortiGUI::Debug: stop vpn:: 0
Dec 9 11:18:24 openfortiGUI::Debug: stop vpn:: 0

And this is ~/.openfortigui/vpnprofiles/VPN.conf

[cert]
ca_file=
trust_all_gw_certs=true
trusted_cert=b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
user_cert=
user_key=
verify_cert=false

[options]
always_ask_otp=false
autostart=true
debug=false
half_internet_routers=false
insecure_ssl=false
min_tls=Default
otp_delay=0
otp_prompt=
pppd_call=
pppd_ifname=
pppd_ipparam=
pppd_log_file=
pppd_no_peerdns=true
pppd_plugin_file=
realm=
seclevel1=false
set_dns=true
set_routes=true

[vpn]
device_type=0
gateway_host=xxxxxxx
gateway_port=443
name=VPN
password=xxxxxx
persistent=false
username=xxxxxx

Running openfortivpn with --trusted-cert b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx parameter connects without any issues, so I assume openfortigui somewhat does not include --trusted-cert parameter when connecting.

Answer 1 · 2024-03-18T14:51:03.000Z

Using already OpenfortiGUI 0.9.9-3 currently but issue still persist.

I can confirm this issue, which preventing also me to connect. In OpenfortiGUI log I see:

ERROR:  Gateway certificate validation failed, and the certificate digest is not in the local whitelist. If you trust it, rerun with:
ERROR:      --trusted-cert .....

.... but no way to provide that trusted-cert parameter via GUI. When trying to run openfortigui via CLI, then there is no such parameter like --trusted-cert, only openfortivpn has.
Even connecting with Trust all certs does not help.

Actually in file ~/.openfortigui/vpnprofiles/profilename.conf is parameter trusted_cert= set with proper hash but openfortigui seems to ignore it.
Also tested same cert with openfortivpn at CLI and connects properly. Just OpenfortiGUI does not connect.