Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3390
Views
0
Helpful
0
Replies

AnyConnect with LetsEncrypt certificate: No certificate validated for the client

SwordOfLord
Level 1
Level 1

‎07-30-2018 11:57 AM - edited ‎02-21-2020 09:25 PM

Hello, dear Community!

 

My setup is C2921 router with WebVPN and AnyConnect clients from iPhones.

IOS version is 15.7(3)M

 

I have followed an article https://blog.dchidell.com/2017/04/12/cisco-ios-ssl-webvpn-with-letsencrypt/ to install LetsEncrypt certificate to the router (everything passed well), then I issued a command:

acme.sh --toPkcs -d vpn.mydomain

to convert certificate so it would be iPhone compatible and successfully installed .pfx certificate to AnyConnect client.

 

Nevertheless, I can't connect with certificate-based authentification and get this error:

Client: Invalid or non-existent certificate (although it's shown as valid and chosen manually)

Router: WV: Error: No certificate validated for the client

 

More detailed debug output:

000670: Jul 24 18:36:56: WV: http request: / with no cookie
000671: Jul 24 18:36:56: WV: validated_tp :  cert_username :  matched_ctx :
000672: Jul 24 18:36:56: WV: Received appinfo
validated_tp : , matched_ctx : ,cert_username :
000673: Jul 24 18:36:56: WV: Error: No certificate validated for the client
000674: Jul 24 18:36:56: WV: Client side Chunk data written..
 buffer=0x2566CB30 total_len=411 bytes=411 tcb=0x267F3F0C
000675: Jul 24 18:36:56: WV: sslvpn process rcvd context queue event

 

 Here is my WebVPN config:

 

webvpn gateway Cisco-WebVPN-Gateway
 ip address x.x.x.x port 443  
 ssl encryption aes256-sha1
 ssl trustpoint CA_LETSENCRYPT
 inservice
 dtls port 3000
 !
webvpn context Cisco-WebVPN
 title "WebVPN - Powered By Cisco"
 !
 acl "ssl-acl"
   permit ip any any
 login-message "Cisco Secure WebVPN"
 gateway Cisco-WebVPN-Gateway
 max-users 20
 authentication certificate
 ca trustpoint CA_LETSENCRYPT
 !
 ssl authenticate verify all
 !
 url-list "rewrite"
 inservice
 !
 policy group webvpnpolicy
   functions svc-enabled
   functions svc-required
   filter tunnel ssl-acl
   svc address-pool "webvpn-pool" netmask 255.255.252.0
   svc default-domain "vpn.mydomain"
   svc rekey method new-tunnel
   svc split include a.b.c.d 255.255.252.0
   svc dns-server primary 8.8.8.8
   svc dns-server secondary 8.8.4.4
 default-group-policy webvpnpolicy
!

Searching the forums didn't solve my problem.

 

Any help would be appreciated. Thanks!

 

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents