公司VPN的新证书,现在openconnect不起作用
因此,由于工作中的“升级”,我们获得了新的VPN证书。 它是自签名的,不再有效。 这是系统日志:
openconnect[6002]: Connected to xxx:443 openconnect[6002]: SSL negotiation with xxx openconnect[6002]: Server certificate verify failed: signer not found openconnect[6002]: Connected to HTTPS on xxx openconnect[6002]: Got CONNECT response: HTTP/1.1 200 OK openconnect[6002]: CSTP connected. DPD 300, Keepalive 30 NetworkManager[1273]: Set up DTLS failed; using SSL instead openconnect[6002]: Connected as 192.168.0.160, using SSL openconnect[6002]: SIOCSIFMTU: Operation not permitted NetworkManager[1273]: [1537565026.6078] vpn-connection[0x55ab83c186c0,a0614dc2-f483-4dc9-87d4-7b9ac4169d31,"company",0]: VPN connection: (IP Config Get) reply received. NetworkManager[1273]: [1537565026.6106] vpn-connection[0x55ab83c186c0,a0614dc2-f483-4dc9-87d4-7b9ac4169d31,"company",7:(vpn0)]: VPN connection: (IP4 Config Get) reply received NetworkManager[1273]: [1537565026.6107] vpn-connection[0x55ab83c186c0,a0614dc2-f483-4dc9-87d4-7b9ac4169d31,"company",7:(vpn0)]: invalid IP4 config received! NetworkManager[1273]: [1537565026.6107] vpn-connection[0x55ab83c186c0,a0614dc2-f483-4dc9-87d4-7b9ac4169d31,"company",7:(vpn0)]: VPN connection: did not receive valid IP config information NetworkManager[1273]: [1537565026.6129] vpn-connection[0x55ab83c186c0,a0614dc2-f483-4dc9-87d4-7b9ac4169d31,"company",0]: VPN plugin: state changed: started (4) NetworkManager[1273]: [1537565026.6133] vpn-connection[0x55ab83c186c0,a0614dc2-f483-4dc9-87d4-7b9ac4169d31,"company",0]: VPN plugin: state changed: stopping (5) NetworkManager[1273]: [1537565026.6134] vpn-connection[0x55ab83c186c0,a0614dc2-f483-4dc9-87d4-7b9ac4169d31,"company",0]: VPN plugin: state changed: stopped (6)
我看到签名者没有找到错误,但是它已经过了“收到的IP4配置无效!” 这里发生了什么,我该如何解决?
或者更好的是,告诉openconnect信任自签名证书。
连接时使用–servercert选项有一种解决方法:
在终端输入
sudo openconnect --protocol=gp
并得到消息:
Certificate from VPN server "serverhost" failed verification. Reason: signer not found To trust this server in future, perhaps add this to your command line: --servercert pin-sha256:serverfingerprint Enter 'sì' to accept, 'no' to abort; anything else to view:
然后最终在命令行选项中使用指纹:
openconnect --servercert=sha1:26cfbcdefg... [usual arguments]
要么
openconnect --servercert=sha256:a8cfbcdedeadbeefdeadbeeffg... [usual arguments]
来源https://github.com/dlenski/openconnect/issues/60