Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to login with certificate only #602

Closed
kamushadenes opened this issue Mar 26, 2020 · 11 comments
Closed

Unable to login with certificate only #602

kamushadenes opened this issue Mar 26, 2020 · 11 comments

Comments

@kamushadenes
Copy link

kamushadenes commented Mar 26, 2020

Hello people,

I have seen #375 which led to #493 but I'm still unable to login to my cert-only work VPN. Version is 1.11.0 from Arch community repository (community/openfortivpn 1.11.0-1)

Connecting with the official client works as expected, the only difference is that the certificate is a p12 while with openfortivpn I converted it to PEM.

❯ sudo openfortivpn -v HOST:10443 --user-cert=network_cert.pem --user-key=network_key.pem  --trusted-cert XXXXXXXXXXXXXXXXXXXXX --password="" --username="CN_FIELD_ON_THE_CERTIFICATE" --ca-file=network_ca.pem
DEBUG:  openfortivpn 1.11.0
WARN:   Bad port in config file: "0".
DEBUG:  Loaded config file "/etc/openfortivpn/config".
DEBUG:  Config host = "HOST"
DEBUG:  Config realm = ""
DEBUG:  Config port = "10443"
DEBUG:  Config username = "CN_FIELD_ON_THE_CERTIFICATE"
DEBUG:  Resolving gateway host ip
DEBUG:  Establishing ssl connection
DEBUG:  server_addr: XX.XX.XX.XX
DEBUG:  server_port: 10443
DEBUG:  gateway_addr: XX.XX.XX.XX
DEBUG:  gateway_port: 10443
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4DEBUG:  Gateway certificate validation succeeded.
INFO:   Connected to gateway.
ERROR:  Could not authenticate to gateway. Please check the password, client certificate, etc.
DEBUG:  HTTP status code 405
INFO:   Closed connection to gateway.
DEBUG:  server_addr: XX.XX.XX.XX
DEBUG:  server_port: 10443
DEBUG:  gateway_addr: XX.XX.XX.XX
DEBUG:  gateway_port: 10443
DEBUG:  Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4DEBUG:  Gateway certificate validation succeeded.
INFO:   Logged out.

I also tried a dummy password instead of a blank one and several different username variants.

For example:

CN field: net-firstname.lastname@domain.com

Username: net-firstname.lastname@domain.com
Username firstname.lastname@domain.com
Username: net-firstname.lastname
Username: firstname.lastname

But to no avail.

Any ideas?

Thanks in advance.

@DimitriPapadopoulos
Copy link
Collaborator

DimitriPapadopoulos commented Mar 26, 2020

Connecting with the official client works as expected, the only difference is that the certificate is a p12 while with openfortivpn I converted it to PEM.

Just to make sure, on which operating system does the official client work? Windows or Linux? I'm asking because on Windows FortiClient is often configured to use IPSec while on Linux it is limited to SSL.

@kamushadenes
Copy link
Author

Linux, the AUR one

@mrbaseman
Copy link
Collaborator

mrbaseman commented Mar 26, 2020

try with empty user name and empty password
sudo openfortivpn HOST:PORT --username="" --password="" ...

@kamushadenes
Copy link
Author

DEBUG: openfortivpn 1.11.0
WARN: Bad port in config file: "0".
DEBUG: Loaded config file "/etc/openfortivpn/config".
ERROR: Specify an username.

@DimitriPapadopoulos
Copy link
Collaborator

@kamushadenes Can you (temporarily) get /etc/openfortivpn/config out of the way, again just to make sure?

sudo mv /etc/openfortivpn/config /etc/openfortivpn/config.bak

@mrbaseman
Copy link
Collaborator

hmm... and the ERROR: Specify an username. should not appear since 1.11.0 if a user certificate (and key) is supplied (sorry, this was what I wanted to denote with the dots ... in my post above)

@kamushadenes
Copy link
Author

@DimitriPapadopoulos same behaviour

@kamushadenes
Copy link
Author

kamushadenes commented Mar 26, 2020

I compiled 1.13.2 using the official PKGBUILD for 1.11.0 and it worked, guess it's a bug on the release?

Now I need to convince network manager to accept an empty username on it's plugin.

Can I close this or would you like to take a look at the release tar.gz?

@kamushadenes
Copy link
Author

@mrbaseman
Copy link
Collaborator

I compiled 1.13.2 using the official PKGBUILD for 1.11.0 and it worked, guess it's a bug on the release?

Ah, this could be #496 which was fixed in 1.12.0

@kamushadenes
Copy link
Author

Can confirm it works with 1.12.0, closing this issue.

Thank you for your time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants