Reset Search
 

 

Article

KB44623 - When connecting to Pulse Connect Secure (PCS) device, end user is prompted with "Invalid server certificate. (Error 1107)"

« Go Back

Information

 
Last Modified Date11/14/2020 8:44 PM
Synopsis

When connecting to Pulse Connect Secure (PCS) device, end user is prompted with "Invalid server certificate. (Error 1107)"

This article describes an issue where end users are unable to connect to the Pulse Connect Secure device with the error message of "Invalid server certificate. (Error 1107)".
Problem or Goal
When the end user attempts to connect to Pulse Connect Secure, the following message appears:
Invalid server certificate. (Error 1107)

In the debuglog.log, the following message may appear:
 
'JamUI' Dynamic trust disabled, the server-cert-trust prompt will not be shown.
....
'iveConnectionMethod' Server certificate is invalid
Cause
This issue occurs when the Dynamic certificate trust is disabled for the Pulse Desktop Client connection set.  Pulse Secure does recommend disabling the Dynamic certificate trust. This option helps to avoid end-user from connecting to the untrusted device instead of trusted PCS.  For more security best practices, please refer to KB44152 - Pulse Policy Secure: Security configuration best practices.
Solution
To resolve this problem, Pulse Connect Secure administrators should ensure all device certificates are trusted.  The three reasons the device certificate is untrusted are:
  1. Device certificate has reached expiration
  2. Device certificate is signed by an untrusted certificate authority or unable to chain to a trusted certificate authority
  3. Common Name (CN) does not match the connection URL


Issue #1: Device certificate has reached expiration

Please contact the certificate authority to issue a new certificate and install on the Pulse Connect Secure device.  For installation instructions, refer to Admin Guide.

Issue #2: Device certificate is signed by an untrusted certificate authority or unable to chain to a trusted certificate authority

To validate if the certificate chain is installed properly on the PCS/PPS, navigate to the following website and enter the PCS/PPS URL.  

If there are any errors, please perform one of the following steps:
  • For end users, please contact your help desk or PCS/PPS administrator to notify the intermediate certificates are not properly installed on the device.
  • For PCS/PPS administrators, please contact the public certificate authority to determine the missing intermediate certificates.  Once obtained, please refer to the Admin Guide for intermediate certificate installation instructions.
Pulse Secure strongly recommends to use device certificates issued from a public certificate authority for all devices.  If a self-signed certificate will be used with the PCS/PPS device, it is important to notify end user how to properly validate the certificate or manually install the certificate to avoid warning prompt. 

Issue #3: Common Name (CN) does not match the connection URL.

Ensure the connection set matches the common name on the certificate.  End users should not connect by IP address.  If the device is in dev or staging environment without a valid FQDN, enabling Dynamic certificate trust is a workaround.
Related Links
Attachment 1 
Created ByK. Kitajima

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255