search

theinvisible / openfortigui

VPN-GUI to connect to Fortigate-Hardware, based on openfortivpn
https://hadler.me/linux/openfortigui/
GNU General Public License v3.0
492 stars 54 forks source link

Connection problem with 7.3 #74

Closed mgogala closed 5 years ago

mgogala commented 5 years ago

I upgraded today my OpenFortiGUI from 7.2.2 to 7.3 and connection failed with the following log: ERROR: SSL_CTX_load_verify_locations: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib INFO: Closed connection to gateway. I downgraded back to 7.2.2 and everything works as it should.

mgogala commented 5 years ago

The OS is Ubuntu 18.04, 64 bit with all updates installed. I carefully upgraded to 7.2.3 and verified that it works. I've put the version on hold (apt-mark hold openfortigui) to prevent automatic upgrades. For now, the software works as needed, after downgrade to 7.2.3

theinvisible commented 5 years ago

Sorry, was a bug from the new CA feature. I released now a bugfix release 0.7.3.1 and its already updated in Repos. Please give it a try. Regards

mgogala commented 5 years ago

Unfortunately still doesn't work: INFO: Start tunnel. ERROR: Gateway certificate validation failed, and the certificate digest in not in the local whitelist. If you trust it, rerun with: ERROR: --trusted-cert 2d712fe2186af77278bec4443f36756738b83f2d7b0bd8780883385a614a26cd ERROR: or add this line to your config file: ERROR: trusted-cert = 2d712fe2186af77278bec4443f36756738b83f2d7b0bd8780883385a614a26cd ERROR: Gateway certificate: ERROR: subject: ERROR: OU=Domain Control Validated ERROR: CN=.mapscu.com ERROR: issuer: ERROR: C=US ERROR: ST=Arizona ERROR: L=Scottsdale ERROR: O=GoDaddy.com, Inc. ERROR: OU=http: ERROR: certs.godaddy.com ERROR: repository ERROR: CN=Go Daddy Secure Certificate Authority - G2 ERROR: sha256 digest: ERROR: 2d712fe2186af77278bec4443f36756738b83f2d7b0bd8780883385a614a26cd INFO: Closed connection to gateway. ERROR: Gateway certificate validation failed, and the certificate digest in not in the local whitelist. If you trust it, rerun with: ERROR: --trusted-cert 2d712fe2186af77278bec4443f36756738b83f2d7b0bd8780883385a614a26cd ERROR: or add this line to your config file: ERROR: trusted-cert = 2d712fe2186af77278bec4443f36756738b83f2d7b0bd8780883385a614a26cd ERROR: Gateway certificate: ERROR: subject: ERROR: OU=Domain Control Validated ERROR: CN=.mapscu.com ERROR: issuer: ERROR: C=US ERROR: ST=Arizona ERROR: L=Scottsdale ERROR: O=GoDaddy.com, Inc. ERROR: OU=http: ERROR: certs.godaddy.com ERROR: repository ERROR: CN=Go Daddy Secure Certificate Authority - G2 ERROR: sha256 digest: ERROR: 2d712fe2186af77278bec4443f36756738b83f2d7b0bd8780883385a614a26cd INFO: Could not log out. INFO: Start tunnel. ERROR: Gateway certificate validation failed, and the certificate digest in not in the local whitelist. If you trust it, rerun with: ERROR: --trusted-cert 2d712fe2186af77278bec4443f36756738b83f2d7b0bd8780883385a614a26cd ERROR: or add this line to your config file: ERROR: trusted-cert = 2d712fe2186af77278bec4443f36756738b83f2d7b0bd8780883385a614a26cd ERROR: Gateway certificate: ERROR: subject: ERROR: OU=Domain Control Validated ERROR: CN=.mapscu.com ERROR: issuer: ERROR: C=US ERROR: ST=Arizona ERROR: L=Scottsdale ERROR: O=GoDaddy.com, Inc. ERROR: OU=http: ERROR: certs.godaddy.com ERROR: repository ERROR: CN=Go Daddy Secure Certificate Authority - G2 ERROR: sha256 digest: ERROR: 2d712fe2186af77278bec4443f36756738b83f2d7b0bd8780883385a614a26cd INFO: Closed connection to gateway. ERROR: Gateway certificate validation failed, and the certificate digest in not in the local whitelist. If you trust it, rerun with: ERROR: --trusted-cert 2d712fe2186af77278bec4443f36756738b83f2d7b0bd8780883385a614a26cd ERROR: or add this line to your config file: ERROR: trusted-cert = 2d712fe2186af77278bec4443f36756738b83f2d7b0bd8780883385a614a26cd ERROR: Gateway certificate: ERROR: subject: ERROR: OU=Domain Control Validated ERROR: CN=.mapscu.com ERROR: issuer: ERROR: C=US ERROR: ST=Arizona ERROR: L=Scottsdale ERROR: O=GoDaddy.com, Inc. ERROR: OU=http: ERROR: certs.godaddy.com ERROR: repository ERROR: CN=Go Daddy Secure Certificate Authority - G2 ERROR: sha256 digest: ERROR: 2d712fe2186af77278bec4443f36756738b83f2d7b0bd8780883385a614a26cd INFO: Could not log out.

I added trusted-cert to my main.conf: [gui] main_toolbar_location=4

[main] aesiv=VoUT5n5ToogkmQU3 aeskey=yowp2IwTTRodgdWp changelogrev_read=7 debug=true setupwizard=true start_minimized=false trusted-cert=2d712fe2186af77278bec4443f36756738b83f2d7b0bd8780883385a614a26cd

[paths] globalvpnprofiles=/etc/openfortigui/vpnprofiles initd=/etc/init.d/openfortigui localvpngroups=~/.openfortigui/vpngroups localvpnprofiles=~/.openfortigui/vpnprofiles logs=/home/mgogala/.openfortigui/logs

theinvisible commented 5 years ago

The option for trusted cert in OpenFortiGUI is "trusted_cert" and not "trusted-cert". These are error messages from openfortivpn core.

mgogala commented 5 years ago

Hi! It works now. I edited the VPN connection in the GUI and added trusted certificate. Thank you very much for your help.