Hello, comrades.
Past few hours I've been trying to get subject working. I have a 19.07.1 with luci-proto-openconnect pkg installed and got a pfx personal cert from my org. Converted it to PEM format with
openssl pkcs12 -in my_cert.pfx -nocerts -out cert.pem
and removed a passphrase from PEM with
openssl rsa -in cert.pem -out cert.key
Also, I've got a CA cert in base64 format.
Everything provided is properly used in webgui and yet can't connect to my org. Here is log:
daemon.info openconnect[11874]: POST https://?
daemon.info openconnect[11874]: Connected to ?
daemon.info openconnect[11874]: SSL negotiation with ?
daemon.info openconnect[11874]: Server certificate verify failed: signer not found
daemon.notice netifd: (11874): Certificate from VPN server "?" failed verification.
daemon.notice netifd: (11874): Reason: signer not found
daemon.notice netifd: (11874): To trust this server in future, perhaps add this to your command line:
daemon.notice netifd: (11874): --servercert ...
daemon.notice openconnect[11874]: SSL connection failure: Error in the certificate.
daemon.notice openconnect[11874]: Failed to open HTTPS connection to ?
As far as I understand I should not get any errors related to server's certificate SHA1 hash because I provided a CA cert to validate server's certificate Sigh
Ok, I've added proposed hash to the config and re-ran. Got the following error:
Your certificate is invalid for the selected group
Yeah, right, but there is no auth group is provided by server. Ok, I tried auth group DEFAULT. No luck.
On Windows, OpenConnect-GUI connects without any troubles. Does not ask for auth group either. I looked into log for some info and noticed this
16:29:33 | 1878 | Connected to ?
There was a non-CA certificate in the trusted list: OU=Copyright (c) 1997 Microsoft Corp.,OU=Microsoft Corporation,CN=Microsoft Root Authority.
16:29:33 | 1878 | There was a non-CA certificate in the trusted list: C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority.
16:29:33 | 1878 | There was a non-CA certificate in the trusted list: CN=Root Agency.
16:29:33 | 1878 | Using client certificate 'username'
16:29:33 | 1878 | Adding supporting CA 'ACME External CA 2'
16:29:33 | 1878 | SSL negotiation with ?
These strings about cert are absent on openwrt. So, my guess is openconnect does things wrong .. or me.
Who can help me to deal with this issue?
Thanks.