search

yuezk / GlobalProtect-openconnect

A GlobalProtect VPN client for Linux, written in Rust, based on OpenConnect and Tauri, supports SSO with MFA, Yubikey, and client certificate authentication, etc.
GNU General Public License v3.0
1.41k stars 157 forks source link

Certificate from VPN server "domain.com" failed verification #57

Closed anhnn2010 closed 10 months ago

anhnn2010 commented 3 years ago

Hi yuezk,

I tried to install your app via AUR of Arch Linux. It looks like I meet some error as below. And the GUI is still connecting. Do you have any suggestion for me?

Thank you so much.

➜  ~ gpclient           
2021-04-30 21:08:16.741 INFO  [107907] [main@22] GlobalProtect started, version: v1.2.8
Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.
2021-04-30 21:08:16.882 INFO  [107907] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-04-30 21:08:21.936 INFO  [107907] [GPClient::doConnect@205] Start connecting...
2021-04-30 21:08:21.936 INFO  [107907] [GPClient::doConnect@221] Start gateway login using the previously saved gateway...
2021-04-30 21:08:21.936 INFO  [107907] [GPClient::gatewayLogin@316] Performing gateway login...
2021-04-30 21:08:21.946 INFO  [107907] [GatewayAuthenticator::authenticate@26] Start gateway authentication...
2021-04-30 21:08:21.946 INFO  [107907] [GatewayAuthenticator::login@38] Trying to login the gateway at https://domain.com/ssl-vpn/login.esp with prot=https%3A&server=&inputSrc=&jnlpReady=jnlpReady&computer=archlinux&ok=Login&direct=yes&clientVer=4100&os-version=Arch Linux&clientos=Linux&portal-prelogonuserauthcookie=&prelogin-cookie=&ipv6-support=yes&user=&passwd=&portal-userauthcookie=
2021-04-30 21:08:21.953 INFO  [107907] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-04-30 21:08:22.252 ERROR [107907] [GatewayAuthenticator::onLoginFinished@49] Failed to login the gateway at https://domain.com/ssl-vpn/login.esp, Error transferring https://domain.com/ssl-vpn/login.esp - server replied: Custom error
2021-04-30 21:08:22.252 INFO  [107907] [GatewayAuthenticator::doAuth@70] Perform the gateway prelogin at https://domain.com/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2021-04-30 21:08:22.306 INFO  [107907] [GatewayAuthenticator::onPreloginFinished@87] Gateway prelogin succeeded.
2021-04-30 21:08:22.306 INFO  [107907] [PreloginResponse::parse@26] Start parsing the prelogin response...
2021-04-30 21:08:22.306 INFO  [107907] [GatewayAuthenticator::samlAuth@145] Trying to perform SAML login with saml-method POST

DevTools listening on ws://127.0.0.1:12315/devtools/browser/1eefecdc-97b0-4c30-b482-70ae4a11d9bf
Remote debugging server started successfully. Try pointing a Chromium-based browser to http://127.0.0.1:12315
2021-04-30 21:08:22.548 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from data:text/html;charset=UTF-8,%3Chtml%3E%0A%3Cbody%3E%0A%3Cform%20id%3D%22myform%22%20method%3D%22POST%22%20action%3D%22https%3A%2F%2Fampere.okta.com%2Fapp%2Fpanw_globalprotect%2Fexk1bxl9ruNWn42ag2p7%2Fsso%2Fsaml%22%3E%0A%3Cinput%20type%3D%22hidden%22%20name%3D%22SAMLRequest%22%20value%3D%22PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vaGNtLXZwbi5hbXBlcmVjb21wdXRpbmcuY29tOjQ0My9TQU1MMjAvU1AvQUNTIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9hbXBlcmUub2t0YS5jb20vYXBwL3BhbndfZ2xvYmFscHJvdGVjdC9leGsxYnhsOXJ1TlduNDJhZzJwNy9zc28vc2FtbCIgSUQ9Il82YjgyZGZiMjNlODA5ZDhmZDc4NGY1Yjk3YjVhZGE0YyIgSXNzdWVJbnN0YW50PSIyMDIxLTA0LTMwVDE0OjA4OjIyWiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL2hjbS12cG4uYW1wZXJlY29tcHV0aW5nLmNvbTo0NDMvU0FNTDIwL1NQPC9zYW1sOklzc3Vlcj48L3NhbWxwOkF1dGhuUmVxdWVzdD4%3D%22%20%2F%3E%0A%3Cinput%20type%3D%22hidden%22%20name%3D%22RelayState%22%20value%3D%22X7KEMwAA5Rk0NGQ2MjY2MTljZWRjYzMxZjM0NmMxODk0ODg1ZTY1Nw%3D%3D%22%20%2F%3E%0A%3C%2Fform%3E%0A%3Cscript%3E%0A%20%20document.getElementById%28%27myform%27%29.submit%28%29%3B%0A%3C%2Fscript%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E%0D%0A
2021-04-30 21:08:22.566 INFO  [107907] [SAMLLoginWindow::onLoadFinished@98] Load finished https://domain.com/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2021-04-30 21:08:22.596 INFO  [107907] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-04-30 21:08:23.543 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://ampere.okta.com/app/panw_globalprotect/exk1bxl9ruNWn42ag2p7/sso/saml
2021-04-30 21:08:23.801 INFO  [107907] [SAMLLoginWindow::onLoadFinished@98] Load finished https://ampere.okta.com/app/panw_globalprotect/exk1bxl9ruNWn42ag2p7/sso/saml
2021-04-30 21:08:23.819 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://login.okta.com/discovery/iframe.html
2021-04-30 21:08:31.839 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://ampere.okta.com/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=QUwHQ2ouIq4e7L1iVWc_Fvg24w0eaL59dxdQ8tDYpjM
2021-04-30 21:08:31.971 INFO  [107907] [SAMLLoginWindow::onLoadFinished@98] Load finished https://ampere.okta.com/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=QUwHQ2ouIq4e7L1iVWc_Fvg24w0eaL59dxdQ8tDYpjM
2021-04-30 21:08:31.988 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://login.okta.com/discovery/iframe.html
2021-04-30 21:08:40.747 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://ampere.okta.com/auth/services/devicefingerprint
2021-04-30 21:08:45.963 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://ampere.okta.com/app/panw_globalprotect/exk1bxl9ruNWn42ag2p7/sso/saml?RelayState=X7KEMwAA5Rk0NGQ2MjY2MTljZWRjYzMxZjM0NmMxODk0ODg1ZTY1Nw%3D%3D&SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vaGNtLXZwbi5hbXBlcmVjb21wdXRpbmcuY29tOjQ0My9TQU1MMjAvU1AvQUNTIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9hbXBlcmUub2t0YS5jb20vYXBwL3BhbndfZ2xvYmFscHJvdGVjdC9leGsxYnhsOXJ1TlduNDJhZzJwNy9zc28vc2FtbCIgSUQ9Il82YjgyZGZiMjNlODA5ZDhmZDc4NGY1Yjk3YjVhZGE0YyIgSXNzdWVJbnN0YW50PSIyMDIxLTA0LTMwVDE0OjA4OjIyWiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL2hjbS12cG4uYW1wZXJlY29tcHV0aW5nLmNvbTo0NDMvU0FNTDIwL1NQPC9zYW1sOklzc3Vlcj48L3NhbWxwOkF1dGhuUmVxdWVzdD4%3D&OKTA_INVALID_SESSION_REPOST=true&fromLoginToken=Tui3dPrA1JBfU3CEqq1byKshmyixe_54moJy-84R7K1bw0QzfxNIsyCBl2t6BZfoBAv5-K1SiyM5GTMsvVrjq7ZusdYDHgx2WPva3hgzPVJCjIeGi_Us5dPLdptQTaLqIO-9-JIpyoBiiBX4rgOXQnJvLkGY0_aFcB8UYd2jPGxRJBMyewKWgzy2_hVUazcq3Rbz28oC7ZQ_Tl82yGUJcGOyyudZdlYP5OhIwni6HNMQoDvDOoBc5wPMRmehr1J7tWPtciJ6lkSV8vNk-622-Qj9DIhY2lYmuU7a7E6c19EYlOhC67V7_ZQ1x9ZtOtrZnJeHbVMAdBH_V8EyLoKlNA&fromLogin=true
2021-04-30 21:08:46.018 INFO  [107907] [SAMLLoginWindow::onLoadFinished@98] Load finished https://ampere.okta.com/app/panw_globalprotect/exk1bxl9ruNWn42ag2p7/sso/saml?RelayState=X7KEMwAA5Rk0NGQ2MjY2MTljZWRjYzMxZjM0NmMxODk0ODg1ZTY1Nw%3D%3D&SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vaGNtLXZwbi5hbXBlcmVjb21wdXRpbmcuY29tOjQ0My9TQU1MMjAvU1AvQUNTIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9hbXBlcmUub2t0YS5jb20vYXBwL3BhbndfZ2xvYmFscHJvdGVjdC9leGsxYnhsOXJ1TlduNDJhZzJwNy9zc28vc2FtbCIgSUQ9Il82YjgyZGZiMjNlODA5ZDhmZDc4NGY1Yjk3YjVhZGE0YyIgSXNzdWVJbnN0YW50PSIyMDIxLTA0LTMwVDE0OjA4OjIyWiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL2hjbS12cG4uYW1wZXJlY29tcHV0aW5nLmNvbTo0NDMvU0FNTDIwL1NQPC9zYW1sOklzc3Vlcj48L3NhbWxwOkF1dGhuUmVxdWVzdD4%3D&OKTA_INVALID_SESSION_REPOST=true&fromLoginToken=Tui3dPrA1JBfU3CEqq1byKshmyixe_54moJy-84R7K1bw0QzfxNIsyCBl2t6BZfoBAv5-K1SiyM5GTMsvVrjq7ZusdYDHgx2WPva3hgzPVJCjIeGi_Us5dPLdptQTaLqIO-9-JIpyoBiiBX4rgOXQnJvLkGY0_aFcB8UYd2jPGxRJBMyewKWgzy2_hVUazcq3Rbz28oC7ZQ_Tl82yGUJcGOyyudZdlYP5OhIwni6HNMQoDvDOoBc5wPMRmehr1J7tWPtciJ6lkSV8vNk-622-Qj9DIhY2lYmuU7a7E6c19EYlOhC67V7_ZQ1x9ZtOtrZnJeHbVMAdBH_V8EyLoKlNA&fromLogin=true
2021-04-30 21:08:46.249 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://domain.com/SAML20/SP/ACS
2021-04-30 21:08:46.249 INFO  [107907] [SAMLLoginWindow::onResponseReceived@67] Got username from SAML response headers user@amperecomputing.com
2021-04-30 21:08:46.249 INFO  [107907] [SAMLLoginWindow::onResponseReceived@72] Got prelogin-cookie from SAML response headers 7VLebqohAbwpiC/d8LXKQ5ZbcT5aSEwBfVfS6CQT/Dfvh/37td4QXMXlcH2H+eVj
2021-04-30 21:08:46.249 INFO  [107907] [SAMLLoginWindow::onResponseReceived@84] Got the SAML authentication information successfully. username: user@amperecomputing.com, preloginCookie: 7VLebqohAbwpiC/d8LXKQ5ZbcT5aSEwBfVfS6CQT/Dfvh/37td4QXMXlcH2H+eVj, userAuthCookie: 
2021-04-30 21:08:46.249 INFO  [107907] [GatewayAuthenticator::onSAMLLoginSuccess@159] SAML login succeeded, got the prelogin-cookie 7VLebqohAbwpiC/d8LXKQ5ZbcT5aSEwBfVfS6CQT/Dfvh/37td4QXMXlcH2H+eVj
2021-04-30 21:08:46.249 INFO  [107907] [GatewayAuthenticator::login@38] Trying to login the gateway at https://domain.com/ssl-vpn/login.esp with prot=https%3A&server=&inputSrc=&jnlpReady=jnlpReady&passwd=&computer=archlinux&ok=Login&direct=yes&clientVer=4100&os-version=Arch Linux&clientos=Linux&portal-prelogonuserauthcookie=&ipv6-support=yes&user=user%40amperecomputing.com&prelogin-cookie=7VLebqohAbwpiC%2Fd8LXKQ5ZbcT5aSEwBfVfS6CQT%2FDfvh%2F37td4QXMXlcH2H%2BeVj&portal-userauthcookie=
2021-04-30 21:08:46.262 INFO  [107907] [SAMLLoginWindow::onLoadFinished@98] Load finished https://domain.com/SAML20/SP/ACS
2021-04-30 21:08:46.568 INFO  [107907] [gpclient::helper::parseGatewayResponse@50] Start parsing the gateway response...
2021-04-30 21:08:46.568 INFO  [107907] [gpclient::helper::parseGatewayResponse@51] The gateway response is: <?xml version="1.0" encoding="utf-8"?><jnlp><application-desc><argument>(null)</argument><argument>b7d318507e558f08fbfc57f64d29fb31</argument><argument>60fcc526263bf76ebcaa5e44853be0880054aa50</argument><argument>AMPERE-GP-GATEWAY-N</argument><argument>user@amperecomputing.com</argument><argument>OKTA-SAML-AUTH</argument><argument>vsys1</argument><argument>%28empty_domain%29</argument><argument>(null)</argument><argument></argument><argument></argument><argument></argument><argument>tunnel</argument><argument>-1</argument><argument>4100</argument><argument></argument><argument>GLmRKlUXLCPtfZ4JNr0nKyxZX7Winfenli2kV3FkSPaPC5auGXY+g2ggevZr/kD1NqafK6vHrZyPzlhaNRt0SqxL/5YavDqD9oI9zRjPGnXhM/jjE30EUr6g+HrUmPOwu/aMu7yKmDXas0uWnyzrny7GEgCkxFDKYwiIzm4plcPXP6TJrMCiOanSOu0YDzvgWTnyKaT7VkXe49OxkOQ72LAj8D6JscPrRktjTRYc23g09RF6Pgf/Phb9jAApyrFYz4Me29z5erqbkNLIpbPUDIkgcIGqhN31/UevAzPvl1ghthR/eYlWAYbwG+Vv8f3sj2ajaDlXzUyED4D+cbL96w==</argument><argument>nCbwhcE2l1YKs2LQ1YyhgnMImoSy1toM0bX9gFhgdOhMmdGhBe75Bh66FKistKS8Rjy8qNQREGKraa4lfJYCt2dx87Qi7xY3lID21239WbPgkrKMkdAv0zR7GNbcBotoDtKPfv3f0VM2HEJcpvoInz9bpskuTdQnQLKMXFW7GBXKGs5F8tlDQbKyD97H6W6oGBd7Ey5mbVDH/ks40rlf1pDNVXOY9AL2cSa8qH1+lbJpOE5ZlQQBpLNqms37YJXg8k2qYOx/cgw1avVT2iS/C8cAaGyskl/BvkrmrBEfgDJD/rChqYPVxKu1pHN/kHfMUDvD45Q6jL799Zv0zIOSjQ==</argument><argument></argument><argument>4</argument><argument>unknown</argument><argument></argument></application-desc></jnlp>
2021-04-30 21:08:46.568 INFO  [107907] [GPClient::onGatewaySuccess@330] Gateway login succeeded, got the cookie authcookie=b7d318507e558f08fbfc57f64d29fb31&portal=AMPERE-GP-GATEWAY-N&user=user%40amperecomputing.com&domain=%2528empty_domain%2529&preferred-ip=&computer=archlinux
2021-04-30 21:08:46.578 INFO  [107907] [GPClient::onVPNLogAvailable@440] Openconnect started successfully, PID=107979
2021-04-30 21:08:46.593 INFO  [107907] [GPClient::onVPNLogAvailable@440] POST https://domain.com/ssl-vpn/getconfig.esp

2021-04-30 21:08:46.613 INFO  [107907] [GPClient::onVPNLogAvailable@440] Connected to 118.222.222.222:443

2021-04-30 21:08:46.655 INFO  [107907] [GPClient::onVPNLogAvailable@440] SSL negotiation with domain.com

2021-04-30 21:08:46.666 INFO  [107907] [GPClient::onVPNLogAvailable@440] Server certificate verify failed: signer not found

2021-04-30 21:08:46.666 INFO  [107907] [GPClient::onVPNLogAvailable@440] 
Certificate from VPN server "domain.com" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:6Fgnj5yL0P2eRa6h0l22NE4RmadyuojpJGXWadVYqxI=
Enter 'yes' to accept, 'no' to abort; anything else to view: 
yes

image

mari-arondeus commented 3 years ago

Yep, I'm getting the same issue now. Do you happen to be using a Palo Alto firewall? I suspect something must have changed on their end that breaks this.

Scratch that, check out #21 if you're still having this issue. Fixed it for me and I suspect it would solve your issue as well. I wish there was a way to set a different set of arguments for every connection profile/server, but that doesn't seem very simple to create. Anywho, #21 really ought to be pinned or something since just about everyone is probably going to start running into this issue.

yuezk commented 3 years ago

Pinned and I will try to add a GUI configuration to pass custom arguments easily.

yuezk commented 10 months ago

No longer a problem in the latest 2.x release, closing.