0.9.8 trusted-cert ignored
Opened this issue · 1 comments
In mentioned version connection attempt fails with following errors (sensitive info replaced with xxxxx). Then it seems it tries to reconnect, fails again, and it keep doing that in a loop.
Dec 9 10:58:08 INFO: Start tunnel.
Dec 9 10:58:08 ERROR: Gateway certificate validation failed, and the certificate digest is not in the local whitelist. If you trust it, rerun with:
ERROR: --trusted-cert b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ERROR: or add this line to your configuration file:
ERROR: trusted-cert = b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ERROR: Gateway certificate:
ERROR: subject:
ERROR: CN=xxxxxxxx
ERROR: issuer:
ERROR: C=xxxx
ERROR: L=xxxx
ERROR: O=xxxx
ERROR: CN=xxxx
ERROR: sha256 digest:
ERROR: b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
INFO: Closed connection to gateway.
ERROR: Gateway certificate validation failed, and the certificate digest is not in the local whitelist. If you trust it, rerun with:
ERROR: --trusted-cert b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ERROR: or add this line to your configuration file:
ERROR: trusted-cert = b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ERROR: Gateway certificate:
ERROR: subject:
ERROR: CN=xxxxxxx
ERROR: issuer:
ERROR: C=xxxx
ERROR: L=xxxx
ERROR: O=xxxx
ERROR: CN=xxxx
ERROR: sha256 digest:
ERROR: b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
INFO: Could not log out.
Here's an output from ~/.openfortigui/logs/openfortigui.log
Dec 9 11:17:44 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:44 openfortiGUI::Debug: MainWindow::refreshVpnProfileList() -> vpnprofiles found:: "VPN"
Dec 9 11:17:47 openfortiGUI::Debug: active-tab:: 0
Dec 9 11:17:47 openfortiGUI::Debug: start vpn: "VPN" active-tab:: 0
Dec 9 11:17:47 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:47 openfortiGUI::Debug: Start vpn:: "VPN"
Dec 9 11:17:47 openfortiGUI::Debug: add logger "/home/user/.openfortigui/main.conf"
Dec 9 11:17:47 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:47 openfortiGUI::Debug: vpnManager::onClientConnected()
Dec 9 11:17:47 openfortiGUI::Debug: client api helo command:: 0 ::name:: "VPN"
Dec 9 11:17:47 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:47 openfortiGUI::Debug: vpnClientConnection::sendCMD:: "VPN" :: 8
Dec 9 11:17:48 openfortiGUI::Debug: 1670577468816 bytes avail:: 22
Dec 9 11:17:49 openfortiGUI::Debug: 1670577469033 bytes avail:: 1447
Dec 9 11:17:49 openfortiGUI::Debug: certificatefailedrequest from vpnmanager
Dec 9 11:17:49 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:49 openfortiGUI::Debug: client disconnected:: "VPN"
Dec 9 11:17:49 openfortiGUI::Debug: vpnManager::onClientVPNStatusChanged() "VPN" status 0
Dec 9 11:17:49 openfortiGUI::Debug: MainWindow::onClientVPNStatusChanged:: "VPN" ::status:: 0
Dec 9 11:17:49 openfortiGUI::Debug: VPN process "VPN" error occurred!
Dec 9 11:17:49 openfortiGUI::Debug: VPN process "VPN" finished!
Dec 9 11:17:50 openfortiGUI::Debug: tiConfVpnProfile::readVpnProfiles() -> vpnprofile found: "/home/user/.openfortigui/vpnprofiles/VPN.conf"
Dec 9 11:17:50 openfortiGUI::Debug: MainWindow::refreshVpnProfileList() -> vpnprofiles found:: "VPN"
Dec 9 11:18:23 openfortiGUI::Debug: stop vpn:: 0
Dec 9 11:18:24 openfortiGUI::Debug: stop vpn:: 0
And this is ~/.openfortigui/vpnprofiles/VPN.conf
[cert]
ca_file=
trust_all_gw_certs=true
trusted_cert=b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
user_cert=
user_key=
verify_cert=false
[options]
always_ask_otp=false
autostart=true
debug=false
half_internet_routers=false
insecure_ssl=false
min_tls=Default
otp_delay=0
otp_prompt=
pppd_call=
pppd_ifname=
pppd_ipparam=
pppd_log_file=
pppd_no_peerdns=true
pppd_plugin_file=
realm=
seclevel1=false
set_dns=true
set_routes=true
[vpn]
device_type=0
gateway_host=xxxxxxx
gateway_port=443
name=VPN
password=xxxxxx
persistent=false
username=xxxxxx
Running openfortivpn
with --trusted-cert b4ecba868189b92axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
parameter connects without any issues, so I assume openfortigui somewhat does not include --trusted-cert
parameter when connecting.
Using already OpenfortiGUI 0.9.9-3 currently but issue still persist.
I can confirm this issue, which preventing also me to connect. In OpenfortiGUI log I see:
ERROR: Gateway certificate validation failed, and the certificate digest is not in the local whitelist. If you trust it, rerun with:
ERROR: --trusted-cert .....
.... but no way to provide that trusted-cert parameter via GUI. When trying to run openfortigui via CLI, then there is no such parameter like --trusted-cert, only openfortivpn has.
Even connecting with Trust all certs does not help.
Actually in file ~/.openfortigui/vpnprofiles/profilename.conf is parameter trusted_cert= set with proper hash but openfortigui seems to ignore it.
Also tested same cert with openfortivpn at CLI and connects properly. Just OpenfortiGUI does not connect.