Certificate from VPN server "domain.com" failed verification

[anhnn2010]

Hi yuezk,

I tried to install your app via AUR of Arch Linux. It looks like I meet some error as below. And the GUI is still connecting. Do you have any suggestion for me?

Thank you so much.

➜  ~ gpclient           
2021-04-30 21:08:16.741 INFO  [107907] [main@22] GlobalProtect started, version: v1.2.8
Warning: Ignoring XDG_SESSION_TYPE=wayland on Gnome. Use QT_QPA_PLATFORM=wayland to run on Wayland anyway.
2021-04-30 21:08:16.882 INFO  [107907] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-04-30 21:08:21.936 INFO  [107907] [GPClient::doConnect@205] Start connecting...
2021-04-30 21:08:21.936 INFO  [107907] [GPClient::doConnect@221] Start gateway login using the previously saved gateway...
2021-04-30 21:08:21.936 INFO  [107907] [GPClient::gatewayLogin@316] Performing gateway login...
2021-04-30 21:08:21.946 INFO  [107907] [GatewayAuthenticator::authenticate@26] Start gateway authentication...
2021-04-30 21:08:21.946 INFO  [107907] [GatewayAuthenticator::login@38] Trying to login the gateway at https://domain.com/ssl-vpn/login.esp with prot=https%3A&server=&inputSrc=&jnlpReady=jnlpReady&computer=archlinux&ok=Login&direct=yes&clientVer=4100&os-version=Arch Linux&clientos=Linux&portal-prelogonuserauthcookie=&prelogin-cookie=&ipv6-support=yes&user=&passwd=&portal-userauthcookie=
2021-04-30 21:08:21.953 INFO  [107907] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-04-30 21:08:22.252 ERROR [107907] [GatewayAuthenticator::onLoginFinished@49] Failed to login the gateway at https://domain.com/ssl-vpn/login.esp, Error transferring https://domain.com/ssl-vpn/login.esp - server replied: Custom error
2021-04-30 21:08:22.252 INFO  [107907] [GatewayAuthenticator::doAuth@70] Perform the gateway prelogin at https://domain.com/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2021-04-30 21:08:22.306 INFO  [107907] [GatewayAuthenticator::onPreloginFinished@87] Gateway prelogin succeeded.
2021-04-30 21:08:22.306 INFO  [107907] [PreloginResponse::parse@26] Start parsing the prelogin response...
2021-04-30 21:08:22.306 INFO  [107907] [GatewayAuthenticator::samlAuth@145] Trying to perform SAML login with saml-method POST

DevTools listening on ws://127.0.0.1:12315/devtools/browser/1eefecdc-97b0-4c30-b482-70ae4a11d9bf
Remote debugging server started successfully. Try pointing a Chromium-based browser to http://127.0.0.1:12315
2021-04-30 21:08:22.548 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from data:text/html;charset=UTF-8,%3Chtml%3E%0A%3Cbody%3E%0A%3Cform%20id%3D%22myform%22%20method%3D%22POST%22%20action%3D%22https%3A%2F%2Fampere.okta.com%2Fapp%2Fpanw_globalprotect%2Fexk1bxl9ruNWn42ag2p7%2Fsso%2Fsaml%22%3E%0A%3Cinput%20type%3D%22hidden%22%20name%3D%22SAMLRequest%22%20value%3D%22PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vaGNtLXZwbi5hbXBlcmVjb21wdXRpbmcuY29tOjQ0My9TQU1MMjAvU1AvQUNTIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9hbXBlcmUub2t0YS5jb20vYXBwL3BhbndfZ2xvYmFscHJvdGVjdC9leGsxYnhsOXJ1TlduNDJhZzJwNy9zc28vc2FtbCIgSUQ9Il82YjgyZGZiMjNlODA5ZDhmZDc4NGY1Yjk3YjVhZGE0YyIgSXNzdWVJbnN0YW50PSIyMDIxLTA0LTMwVDE0OjA4OjIyWiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL2hjbS12cG4uYW1wZXJlY29tcHV0aW5nLmNvbTo0NDMvU0FNTDIwL1NQPC9zYW1sOklzc3Vlcj48L3NhbWxwOkF1dGhuUmVxdWVzdD4%3D%22%20%2F%3E%0A%3Cinput%20type%3D%22hidden%22%20name%3D%22RelayState%22%20value%3D%22X7KEMwAA5Rk0NGQ2MjY2MTljZWRjYzMxZjM0NmMxODk0ODg1ZTY1Nw%3D%3D%22%20%2F%3E%0A%3C%2Fform%3E%0A%3Cscript%3E%0A%20%20document.getElementById%28%27myform%27%29.submit%28%29%3B%0A%3C%2Fscript%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E%0D%0A
2021-04-30 21:08:22.566 INFO  [107907] [SAMLLoginWindow::onLoadFinished@98] Load finished https://domain.com/ssl-vpn/prelogin.esp?tmp=tmp&kerberos-support=yes&ipv6-support=yes&clientVer=4100&clientos=Linux
2021-04-30 21:08:22.596 INFO  [107907] [GPClient::populateGatewayMenu@100] Populating the Switch Gateway menu...
2021-04-30 21:08:23.543 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://ampere.okta.com/app/panw_globalprotect/exk1bxl9ruNWn42ag2p7/sso/saml
2021-04-30 21:08:23.801 INFO  [107907] [SAMLLoginWindow::onLoadFinished@98] Load finished https://ampere.okta.com/app/panw_globalprotect/exk1bxl9ruNWn42ag2p7/sso/saml
2021-04-30 21:08:23.819 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://login.okta.com/discovery/iframe.html
2021-04-30 21:08:31.839 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://ampere.okta.com/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=QUwHQ2ouIq4e7L1iVWc_Fvg24w0eaL59dxdQ8tDYpjM
2021-04-30 21:08:31.971 INFO  [107907] [SAMLLoginWindow::onLoadFinished@98] Load finished https://ampere.okta.com/login/login.htm?fromURI=/oauth2/v1/authorize/redirect?okta_key=QUwHQ2ouIq4e7L1iVWc_Fvg24w0eaL59dxdQ8tDYpjM
2021-04-30 21:08:31.988 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://login.okta.com/discovery/iframe.html
2021-04-30 21:08:40.747 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://ampere.okta.com/auth/services/devicefingerprint
2021-04-30 21:08:45.963 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://ampere.okta.com/app/panw_globalprotect/exk1bxl9ruNWn42ag2p7/sso/saml?RelayState=X7KEMwAA5Rk0NGQ2MjY2MTljZWRjYzMxZjM0NmMxODk0ODg1ZTY1Nw%3D%3D&SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vaGNtLXZwbi5hbXBlcmVjb21wdXRpbmcuY29tOjQ0My9TQU1MMjAvU1AvQUNTIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9hbXBlcmUub2t0YS5jb20vYXBwL3BhbndfZ2xvYmFscHJvdGVjdC9leGsxYnhsOXJ1TlduNDJhZzJwNy9zc28vc2FtbCIgSUQ9Il82YjgyZGZiMjNlODA5ZDhmZDc4NGY1Yjk3YjVhZGE0YyIgSXNzdWVJbnN0YW50PSIyMDIxLTA0LTMwVDE0OjA4OjIyWiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL2hjbS12cG4uYW1wZXJlY29tcHV0aW5nLmNvbTo0NDMvU0FNTDIwL1NQPC9zYW1sOklzc3Vlcj48L3NhbWxwOkF1dGhuUmVxdWVzdD4%3D&OKTA_INVALID_SESSION_REPOST=true&fromLoginToken=Tui3dPrA1JBfU3CEqq1byKshmyixe_54moJy-84R7K1bw0QzfxNIsyCBl2t6BZfoBAv5-K1SiyM5GTMsvVrjq7ZusdYDHgx2WPva3hgzPVJCjIeGi_Us5dPLdptQTaLqIO-9-JIpyoBiiBX4rgOXQnJvLkGY0_aFcB8UYd2jPGxRJBMyewKWgzy2_hVUazcq3Rbz28oC7ZQ_Tl82yGUJcGOyyudZdlYP5OhIwni6HNMQoDvDOoBc5wPMRmehr1J7tWPtciJ6lkSV8vNk-622-Qj9DIhY2lYmuU7a7E6c19EYlOhC67V7_ZQ1x9ZtOtrZnJeHbVMAdBH_V8EyLoKlNA&fromLogin=true
2021-04-30 21:08:46.018 INFO  [107907] [SAMLLoginWindow::onLoadFinished@98] Load finished https://ampere.okta.com/app/panw_globalprotect/exk1bxl9ruNWn42ag2p7/sso/saml?RelayState=X7KEMwAA5Rk0NGQ2MjY2MTljZWRjYzMxZjM0NmMxODk0ODg1ZTY1Nw%3D%3D&SAMLRequest=PHNhbWxwOkF1dGhuUmVxdWVzdCB4bWxuczpzYW1scD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnByb3RvY29sIiBBc3NlcnRpb25Db25zdW1lclNlcnZpY2VVUkw9Imh0dHBzOi8vaGNtLXZwbi5hbXBlcmVjb21wdXRpbmcuY29tOjQ0My9TQU1MMjAvU1AvQUNTIiBEZXN0aW5hdGlvbj0iaHR0cHM6Ly9hbXBlcmUub2t0YS5jb20vYXBwL3BhbndfZ2xvYmFscHJvdGVjdC9leGsxYnhsOXJ1TlduNDJhZzJwNy9zc28vc2FtbCIgSUQ9Il82YjgyZGZiMjNlODA5ZDhmZDc4NGY1Yjk3YjVhZGE0YyIgSXNzdWVJbnN0YW50PSIyMDIxLTA0LTMwVDE0OjA4OjIyWiIgUHJvdG9jb2xCaW5kaW5nPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YmluZGluZ3M6SFRUUC1QT1NUIiBWZXJzaW9uPSIyLjAiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5odHRwczovL2hjbS12cG4uYW1wZXJlY29tcHV0aW5nLmNvbTo0NDMvU0FNTDIwL1NQPC9zYW1sOklzc3Vlcj48L3NhbWxwOkF1dGhuUmVxdWVzdD4%3D&OKTA_INVALID_SESSION_REPOST=true&fromLoginToken=Tui3dPrA1JBfU3CEqq1byKshmyixe_54moJy-84R7K1bw0QzfxNIsyCBl2t6BZfoBAv5-K1SiyM5GTMsvVrjq7ZusdYDHgx2WPva3hgzPVJCjIeGi_Us5dPLdptQTaLqIO-9-JIpyoBiiBX4rgOXQnJvLkGY0_aFcB8UYd2jPGxRJBMyewKWgzy2_hVUazcq3Rbz28oC7ZQ_Tl82yGUJcGOyyudZdlYP5OhIwni6HNMQoDvDOoBc5wPMRmehr1J7tWPtciJ6lkSV8vNk-622-Qj9DIhY2lYmuU7a7E6c19EYlOhC67V7_ZQ1x9ZtOtrZnJeHbVMAdBH_V8EyLoKlNA&fromLogin=true
2021-04-30 21:08:46.249 INFO  [107907] [SAMLLoginWindow::onResponseReceived@64] Response received from https://domain.com/SAML20/SP/ACS
2021-04-30 21:08:46.249 INFO  [107907] [SAMLLoginWindow::onResponseReceived@67] Got username from SAML response headers [email protected]
2021-04-30 21:08:46.249 INFO  [107907] [SAMLLoginWindow::onResponseReceived@72] Got prelogin-cookie from SAML response headers 7VLebqohAbwpiC/d8LXKQ5ZbcT5aSEwBfVfS6CQT/Dfvh/37td4QXMXlcH2H+eVj
2021-04-30 21:08:46.249 INFO  [107907] [SAMLLoginWindow::onResponseReceived@84] Got the SAML authentication information successfully. username: [email protected], preloginCookie: 7VLebqohAbwpiC/d8LXKQ5ZbcT5aSEwBfVfS6CQT/Dfvh/37td4QXMXlcH2H+eVj, userAuthCookie: 
2021-04-30 21:08:46.249 INFO  [107907] [GatewayAuthenticator::onSAMLLoginSuccess@159] SAML login succeeded, got the prelogin-cookie 7VLebqohAbwpiC/d8LXKQ5ZbcT5aSEwBfVfS6CQT/Dfvh/37td4QXMXlcH2H+eVj
2021-04-30 21:08:46.249 INFO  [107907] [GatewayAuthenticator::login@38] Trying to login the gateway at https://domain.com/ssl-vpn/login.esp with prot=https%3A&server=&inputSrc=&jnlpReady=jnlpReady&passwd=&computer=archlinux&ok=Login&direct=yes&clientVer=4100&os-version=Arch Linux&clientos=Linux&portal-prelogonuserauthcookie=&ipv6-support=yes&user=user%40amperecomputing.com&prelogin-cookie=7VLebqohAbwpiC%2Fd8LXKQ5ZbcT5aSEwBfVfS6CQT%2FDfvh%2F37td4QXMXlcH2H%2BeVj&portal-userauthcookie=
2021-04-30 21:08:46.262 INFO  [107907] [SAMLLoginWindow::onLoadFinished@98] Load finished https://domain.com/SAML20/SP/ACS
2021-04-30 21:08:46.568 INFO  [107907] [gpclient::helper::parseGatewayResponse@50] Start parsing the gateway response...
2021-04-30 21:08:46.568 INFO  [107907] [gpclient::helper::parseGatewayResponse@51] The gateway response is: <?xml version="1.0" encoding="utf-8"?><jnlp><application-desc><argument>(null)</argument><argument>b7d318507e558f08fbfc57f64d29fb31</argument><argument>60fcc526263bf76ebcaa5e44853be0880054aa50</argument><argument>AMPERE-GP-GATEWAY-N</argument><argument>[email protected]</argument><argument>OKTA-SAML-AUTH</argument><argument>vsys1</argument><argument>%28empty_domain%29</argument><argument>(null)</argument><argument></argument><argument></argument><argument></argument><argument>tunnel</argument><argument>-1</argument><argument>4100</argument><argument></argument><argument>GLmRKlUXLCPtfZ4JNr0nKyxZX7Winfenli2kV3FkSPaPC5auGXY+g2ggevZr/kD1NqafK6vHrZyPzlhaNRt0SqxL/5YavDqD9oI9zRjPGnXhM/jjE30EUr6g+HrUmPOwu/aMu7yKmDXas0uWnyzrny7GEgCkxFDKYwiIzm4plcPXP6TJrMCiOanSOu0YDzvgWTnyKaT7VkXe49OxkOQ72LAj8D6JscPrRktjTRYc23g09RF6Pgf/Phb9jAApyrFYz4Me29z5erqbkNLIpbPUDIkgcIGqhN31/UevAzPvl1ghthR/eYlWAYbwG+Vv8f3sj2ajaDlXzUyED4D+cbL96w==</argument><argument>nCbwhcE2l1YKs2LQ1YyhgnMImoSy1toM0bX9gFhgdOhMmdGhBe75Bh66FKistKS8Rjy8qNQREGKraa4lfJYCt2dx87Qi7xY3lID21239WbPgkrKMkdAv0zR7GNbcBotoDtKPfv3f0VM2HEJcpvoInz9bpskuTdQnQLKMXFW7GBXKGs5F8tlDQbKyD97H6W6oGBd7Ey5mbVDH/ks40rlf1pDNVXOY9AL2cSa8qH1+lbJpOE5ZlQQBpLNqms37YJXg8k2qYOx/cgw1avVT2iS/C8cAaGyskl/BvkrmrBEfgDJD/rChqYPVxKu1pHN/kHfMUDvD45Q6jL799Zv0zIOSjQ==</argument><argument></argument><argument>4</argument><argument>unknown</argument><argument></argument></application-desc></jnlp>
2021-04-30 21:08:46.568 INFO  [107907] [GPClient::onGatewaySuccess@330] Gateway login succeeded, got the cookie authcookie=b7d318507e558f08fbfc57f64d29fb31&portal=AMPERE-GP-GATEWAY-N&user=user%40amperecomputing.com&domain=%2528empty_domain%2529&preferred-ip=&computer=archlinux
2021-04-30 21:08:46.578 INFO  [107907] [GPClient::onVPNLogAvailable@440] Openconnect started successfully, PID=107979
2021-04-30 21:08:46.593 INFO  [107907] [GPClient::onVPNLogAvailable@440] POST https://domain.com/ssl-vpn/getconfig.esp

2021-04-30 21:08:46.613 INFO  [107907] [GPClient::onVPNLogAvailable@440] Connected to 118.222.222.222:443

2021-04-30 21:08:46.655 INFO  [107907] [GPClient::onVPNLogAvailable@440] SSL negotiation with domain.com

2021-04-30 21:08:46.666 INFO  [107907] [GPClient::onVPNLogAvailable@440] Server certificate verify failed: signer not found

2021-04-30 21:08:46.666 INFO  [107907] [GPClient::onVPNLogAvailable@440] 
Certificate from VPN server "domain.com" failed verification.
Reason: signer not found
To trust this server in future, perhaps add this to your command line:
    --servercert pin-sha256:6Fgnj5yL0P2eRa6h0l22NE4RmadyuojpJGXWadVYqxI=
Enter 'yes' to accept, 'no' to abort; anything else to view: 
yes

[mari-arondeus]

~~Yep, I'm getting the same issue now. Do you happen to be using a Palo Alto firewall? I suspect something must have changed on their end that breaks this.~~

Scratch that, check out #21 if you're still having this issue. Fixed it for me and I suspect it would solve your issue as well. I wish there was a way to set a different set of arguments for every connection profile/server, but that doesn't seem very simple to create. Anywho, #21 really ought to be pinned or something since just about everyone is probably going to start running into this issue.

[yuezk]

Pinned and I will try to add a GUI configuration to pass custom arguments easily.

[yuezk]

No longer a problem in the latest 2.x release, closing.