Reset Search
 

 
Article

KB40278 - Pulse Secure Desktop for Linux fails to establish VPN connection with error message "Certificate Verification Failed"

Printable View
« Go Back

Information

 
Last Modified Date6/5/2018 4:27 PM
Synopsis
This article describes an issue where Pulse Secure Desktop for Linux fails to establish VPN connection with error message "Certificate Verification Failed".
Problem or Goal
If the Pulse Secure Desktop for Linux client fails to establish a VPN tunnel and the pulsesvc.log states "Certificate Validation Failed", then this would indicate that the client is unable to validate the device certificate on the PCS device.

To confirm the issue, review the pulsesvc.log from the following location:

Log Location: /home/<userprofile>/.pulse_secure/pulse/pulsesvc.log

The log will contain the following entries:
  
dsssl.warn ssl_init : Failed to load CA certificates (DSSSLSock.cpp:1515)
main.info Setting NCP certificate hash for DSSSL certificate verification (ncp.cpp:1934)
main.info Using DSSSL to connect to IVE (ncp.cpp:2023)
connect.info creating a new HTTP connection... (ncp_dsssl.cpp:187)
dsssl.error verify_server_cert_callback : Certificate Verification Failed : 
error:self signed certificate depth:0 errorno:18 (DSSSLSock.cpp:1588)

dsssl.info log_cert_info : Subject : C = ??, ST = ??, L = ??, O = "ra,", OU = ??, 
dsssl.error SSL_connect failed. Error 1 (DSSSLSock.cpp:1834)
connect.error dshttp connect to XX.XX.XXX.XXX failed with error 536875113 (ncp_dsssl.cpp:240)
main.error SSL connect failed. Error 536875113 (ncp.cpp:2026)
Cause
The following issue occurs when one of the following conditions are met:
  • The issuing Certificate Authority (CA) certificate for the device certificate from the PCS device is missing
  • A self-signed certificate is utilized on the PCS device
Solution
To resolve this issue for a self-signed certificate, perform the following steps:
  1. From the admin console, navigate to Configuration > Certificate > Device Certificates
  2. Under Certificate Details, click Download.  The certificate will be saved in PEM format.
  3. Copy the following file to the Linux machine.
  4. Open the file with a text editor (i.e gedit or vi)
  5. Copy the certificate text starting from  "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----" as per the following example:
-----BEGIN CERTIFICATE-----
......
-----END CERTIFICATE-----
  1. Using terminal, copy the selected certificate text to the desktop with file name of ca-certificates.crt or ca-bundle.crt using the following command:
            "/etc/pki/tls/certs/ca-bundle.crt",  /* CA_CERT_LOCATION_RHEL_CENTOS */
      "/etc/ssl/certs/ca-certificates.crt" /* CA_CERT_LOCATION_DEBIAN */
  
$ sudo cp /etc/ssl/certs/ca-certificates.crt  /home/<userprofile>/Desktop ​
$ sudo cp /etc/pki/tls/certs/ca-bundle.crt  /home/<userprofile>/Desktop
  1. Using a text editor, open ca-certificate.crt or ca-bundle.crt and paste the certificate hash value at the end of the file.  
  2. Execute the following command to appended ca-certificate.crt to the original location  
:/etc/ssl/certs/ca-certificates.crt 
$ sudo cp /home/<user_profile>/Downloads/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
$ sudo cp /home/<user_profile>/Downloads/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt 
  1. Click on connect button from Pulse GUI.

Note:  For scenarios where the device certificate is issued from a private CA, steps 5 to 8 should be followed.
Related Links
Attachment 1 
Created Bys ramkumar

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255