I'm struggling with the Juniper ncsvc CLI VPN client, which used to work for me but recently broke, and I suspect it's because of a HTTPS SSL Certificate issue:
cat ~/.juniper_networks/network_connect/ncsvc.log
20150930152023.821647 ncsvc[p32325.t32325] ncsvc.info New ncsvc log level set to 5 (nccommon.cpp:75)
20150930152023.821693 ncsvc[p32325.t32325] sysdeps.info restoring DNS settings... (sysdeps.cpp:975)
20150930152023.821703 ncsvc[p32325.t32325] sysdeps.error rename /etc/jnpr-nc-resolv.conf => /etc/resolv.conf failed wirh error 2 (sysdeps.cpp:978)
20150930152023.821710 ncsvc[p32325.t32325] sysdeps.error rename /etc/jnpr-nc-hosts.bak => /etc/hosts failed wirh error 2 (sysdeps.cpp:982)
20150930152023.824362 ncsvc[p32325.t32325] ncsvc.info Connecting to vpn.company.com:443 (ncsvc.cpp:500)
20150930152023.844579 ncsvc[p32325.t32325] dsclient.para DSClient::authenticate(): user:..., password:..., cert:0, realm:... (dsclient.cpp:284)
20150930152023.848116 ncsvc[p32325.t32325] DSInet.info IVE host vpn.company.com resolved to 212.203.116.107, port 443 (dsinet.cpp:311)
20150930152023.848241 ncsvc[p32325.t32325] http_connection.para Starting a timed connect with SSL session 0x933cc90, proxy (null):0, and timeout 30 (http_connection.cpp:236)
20150930152023.848251 ncsvc[p32325.t32325] http_connection.para Entering state_start_connection (http_connection.cpp:351)
20150930152023.848258 ncsvc[p32325.t32325] http_connection.para Remote Address: ip=212.203.116.107, port=443, familiy=2 (http_connection.cpp:799)
20150930152023.848271 ncsvc[p32325.t32325] http_connection.para Remote Server=vpn.company.com (http_connection.cpp:801)
20150930152023.848277 ncsvc[p32325.t32325] http_connection.para Local Address: ip=0.0.0.0, port=0, familiy=2 (http_connection.cpp:806)
20150930152023.848282 ncsvc[p32325.t32325] http_connection.para Proxy Address: ip=(null), port=0, familiy=0 (http_connection.cpp:811)
20150930152023.864122 ncsvc[p32325.t32325] http_connection.para Entering state_continue_connection (http_connection.cpp:368)
20150930152023.864188 ncsvc[p32325.t32325] http_connection.para Entering state_ssl_connect (http_connection.cpp:538)
20150930152023.880107 ncsvc[p32325.t32325] dsssl.error SSL_connect failed. Error 5 (DSSSLSock.cpp:1619)
20150930152023.880153 ncsvc[p32325.t32325] http_connection.para Returning DSHTTP_ERROR from state_ssl_connect (http_connection.cpp:553)
20150930152023.880160 ncsvc[p32325.t32325] http_connection.para do_connect error: state 5, err 5 (http_connection.cpp:341)
20150930152023.880215 ncsvc[p32325.t32325] DSInet.error failed to connect to (vpn.company.com) error 5 (dsinet.cpp:383)
20150930152023.880229 ncsvc[p32325.t32325] dsclient.error unable to open URL: (https://vpn.company.com/launcher) with error -7 (dsclient.cpp:299)
20150930152023.880238 ncsvc[p32325.t32325] ncapp.error Failed to authenticate with IVE. Error 2 (ncsvc.cpp:231)
20150930152023.880261 ncsvc[p32325.t32325] dsncuiapi.para DsNcUiApi::~DsNcUiApi (dsncuiapi.cpp:83)
Going to https://cryptoreport.thawte.com/checker/ and typing vpn.company.com => "Certificate is not installed correctly. You have 1 error, Intermediate certificate missing: Thawte SSL CA | Download certificate". Firefox 41 (but not Chromium 45) similarly whines about https://vpn.company.com
So I guessed one should probably be able to manually install this missing intermediate certificate on the client side somehow (not server, I don't control that; waiting for response from internal IT…). cryptoreport.thawte.com conveniently offered it for download, so I've learnt:
cd Downloads
mv Thawte\ SSL\ CA.txt Thawte_SSL_CA.crt
file Thawte_SSL_CA.crt
openssl x509 -in Thawte_SSL_CA.crt -text
sudo cp Thawte_SSL_CA.crt /usr/share/ca-certificates/
sudo chmod w+r /usr/share/ca-certificates/Thawte_SSL_CA.crt
sudo dpkg-reconfigure ca-certificates
sudo update-ca-certificates
However, Firefox is still not happy, but I learnt from https://askubuntu.com/questions/244582/add-certificate-authorities-system-wide-on-firefox that this is normal, because "Firefox does not have a 'central' location where it looks for certificates. It just looks into the current profile. That's why modifying /usr/share/ca-certificates or other similar directories won't work with Firefox." – fine. So I manually added that Thawte_SSL_CA.crt to Firefox. Still not happy, saying: Secure Connection Failed. An error occurred during a connection to vpn.company.com. Peer's certificate issuer has been marked as not trusted by the user. (Error code: sec_error_untrusted_issuer). The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
And even the Juniper ncsvc CLI VPN client still has the same problem. I don't seen an option in that particular tool to ignore SSL validation.
Is there no way client side to work around such a missing intermediate SSL cert? I just want to (learn something here, and) the bloody VPN to work! 😉 Is the only solution for the web server operator to correctly configured this server side?
Best Answer
Use the following instructions:
Click on Start then select Run and enter mmc.
Click on File and select Add/Remove Snap in.
Choose Add, select Certificates in the Standalone Snap-in list then click Add.
Select Computer Account and click Next.
Select Local Computer and click Finish.
Better you will check it out the below link to install the missing intermediate SSL Certificate:
https://www.tbs-certificates.co.uk/FAQ/en/174.html
https://www.instantssl.com/ssl.html