Re: Difficulties with network-manager-openconnect

[Michael Welsh Duggan <mwd md5i com>]

Thomas Haller <thaller redhat com> writes:

> On Mon, 2016-04-04 at 22:09 -0400, Michael Welsh Duggan wrote:
> > I'm having some difficulties using network-manager-openconnect.
> >
> > If I use openconnect directly:
> >
> >   openconnect -c cert.pfx --authgroup=[GROUP] --no-xmlpost [SERVER]
> >
> > everything works just fine.
> >
> > When I use network-manager I get the following:
> >
> >   Server requested SSL client certificate after one was provided
> >   Certificate Validation Failure
> >
> > This used to work (many months ago).  I don't know whether an update
> > of
> > nm was why things changed, or if it was a change of the VPN server at
> > work.
> >
> > I am using network-manager and network-manager-openconnect from
> > Debian
> > unstable: 
> >
> >   network-manager 0.9.10.0-1 
> >   network-manager-openconnect 0.9.8.6-1
> >
> > I'm happy to provide more debugging information if someone would tell
> > me
> > what to provide.

> When nm-openconnect starts openconnect binary, it runs as a different
> user. Make sure that that user is able to access the certificate.

And what user might that be?  NetworkManager and nm-dispatcher are
running as root, as is nm-openconnect-service.  Also, if it could not
access the certificates, I would expect a different type of error.

> For example, if you have SELinux enabled, it needs proper labels.
> Usually that means, the certificate should be in ~user/.certs
> directory. Try with SELinux permissive mode or search for audit
> warnings.

I do not have SELinux enabled.

-- 
Michael Welsh Duggan
(md5i md5i com)