Reset Search



KB40278 - Pulse Secure Desktop for Linux fails to establish VPN connection with error message "Certificate Verification Failed"

« Go Back


Last Modified Date6/5/2018 4:27 PM
This article describes an issue where Pulse Secure Desktop for Linux fails to establish VPN connection with error message "Certificate Verification Failed".
Problem or Goal
If the Pulse Secure Desktop for Linux client fails to establish a VPN tunnel and the pulsesvc.log states "Certificate Validation Failed", then this would indicate that the client is unable to validate the device certificate on the PCS device.

To confirm the issue, review the pulsesvc.log from the following location:

Log Location: /home/<userprofile>/.pulse_secure/pulse/pulsesvc.log

The log will contain the following entries:

dsssl.warn ssl_init : Failed to load CA certificates (DSSSLSock.cpp:1515) Setting NCP certificate hash for DSSSL certificate verification (ncp.cpp:1934) Using DSSSL to connect to IVE (ncp.cpp:2023) creating a new HTTP connection... (ncp_dsssl.cpp:187)
dsssl.error verify_server_cert_callback : Certificate Verification Failed : 
error:self signed certificate depth:0 errorno:18 (DSSSLSock.cpp:1588) log_cert_info : Subject : C = ??, ST = ??, L = ??, O = "ra,", OU = ??, 
dsssl.error SSL_connect failed. Error 1 (DSSSLSock.cpp:1834)
connect.error dshttp connect to XX.XX.XXX.XXX failed with error 536875113 (ncp_dsssl.cpp:240)
main.error SSL connect failed. Error 536875113 (ncp.cpp:2026)
The following issue occurs when one of the following conditions are met:
  • The issuing Certificate Authority (CA) certificate for the device certificate from the PCS device is missing
  • A self-signed certificate is utilized on the PCS device
To resolve this issue for a self-signed certificate, perform the following steps:
  1. From the admin console, navigate to Configuration > Certificate > Device Certificates
  2. Under Certificate Details, click Download.  The certificate will be saved in PEM format.
  3. Copy the following file to the Linux machine.
  4. Open the file with a text editor (i.e gedit or vi)
  5. Copy the certificate text starting from  "-----BEGIN CERTIFICATE-----" to "-----END CERTIFICATE-----" as per the following example:
  1. Using terminal, copy the selected certificate text to the desktop with file name of ca-certificates.crt or ca-bundle.crt using the following command:
            "/etc/pki/tls/certs/ca-bundle.crt",  /* CA_CERT_LOCATION_RHEL_CENTOS */
      "/etc/ssl/certs/ca-certificates.crt" /* CA_CERT_LOCATION_DEBIAN */

$ sudo cp /etc/ssl/certs/ca-certificates.crt  /home/<userprofile>/Desktop ​
$ sudo cp /etc/pki/tls/certs/ca-bundle.crt  /home/<userprofile>/Desktop
  1. Using a text editor, open ca-certificate.crt or ca-bundle.crt and paste the certificate hash value at the end of the file.  
  2. Execute the following command to appended ca-certificate.crt to the original location  
$ sudo cp /home/<user_profile>/Downloads/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
$ sudo cp /home/<user_profile>/Downloads/ca-bundle.crt /etc/pki/tls/certs/ca-bundle.crt 
  1. Click on connect button from Pulse GUI.

Note:  For scenarios where the device certificate is issued from a private CA, steps 5 to 8 should be followed.
Related Links
Attachment 1 
Created Bys ramkumar



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255