Discussion:
Spinning in "Refreshing wait.html after 1 second" Loop (CSD Verification)
Neil E. Hodges
2018-10-03 11:18:55 UTC
Permalink
Hello,

I've been trying to connect to my workplace's VPN for the first time all
morning and haven't had much luck: it just spins in "refreshing
...wait.html after 1 second" indefinitely. Here's the script I've put
exec sudo openconnect \
--user <USERNAME> \
--cert-expire-warning 15 \
--servercert '<CERTKEY>' \
--os win \
--csd-user <USERNAME> \
--csd-wrapper '/usr/local/bin/csd-wrapper.sh' \
https://<HOSTNAME>
The --servercert argument is what openconnect told me to set it as after
the first time, and csd-wrapper.sh has been updated with the
CSD_HOSTNAME=<HOSTNAME>. The log output is at the bottom of this
message.

I've heard folks saying that if the VPN admins disable Linux support, a
different certificate is needed, and that they grabbed the certificate
from a Windows box via JailBreak. I have JailBreak installed and a
Windows box that has connected to the same VPN host, but I have no idea
what to look for in the certificate store. Does this seem like it might
help? If so, where in the certificate store should I look, and what
should I look for with respect to the certificate name? If not, what
else should I try?

Here's the version info. It's on a Debian 9.5 system that was just set
up a few days ago.
OpenConnect version v7.08
Using GnuTLS. Features present: PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS
Thank you,

- Neil
POST https://<HOSTNAME>/
Connected to <SERVER_IP>:443
SSL negotiation with <HOSTNAME>
Server certificate verify failed: signer not found
Connected to HTTPS on <HOSTNAME>
XML POST enabled
GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
--2018-10-03 04:07:56-- https://<HOSTNAME>/CACHE/sdesktop/hostscan/linux_x64/manifest
Resolving <HOSTNAME> (<HOSTNAME>)... <SERVER_IP>
Connecting to <HOSTNAME> (<HOSTNAME>)|<SERVER_IP>|:443... Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
connected.
WARNING: The certificate of ‘<HOSTNAME>’ is not trusted.
WARNING: The certificate of ‘<HOSTNAME>’ hasn't got a known issuer.
HTTP request sent, awaiting response... 200 OK
The file is already fully retrieved; nothing to do.
Got 6 files in manifes, locally found 6
/home/<USERNAME>/.cisco/hostscan/bin/cscan: OK
/home/<USERNAME>/.cisco/hostscan/bin/cstub: OK
/home/<USERNAME>/.cisco/hostscan/lib/libcsd.so: OK
/home/<USERNAME>/.cisco/hostscan/lib/libhostscan.so: OK
/home/<USERNAME>/.cisco/hostscan/lib/libinspector.so: OK
/home/<USERNAME>/.cisco/hostscan/lib/tables.dat: OK
Launching: /home/<USERNAME>/.cisco/hostscan/bin/cstub -log error -ticket "<TICKET>" -stub "0" -group "" -host "https://<HOSTNAME>/CACHE" -certhash "<CERTHASH>"
No value set for `/system/proxy/secure_host'
No value set for `/system/http_proxy/host'
GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
SSL negotiation with <HOSTNAME>
Server certificate verify failed: signer not found
Connected to HTTPS on <HOSTNAME>
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
Neil E. Hodges
2018-10-08 11:38:26 UTC
Permalink
+ sh connect.sh
POST https://<HOSTNAME>/
Attempting to connect to server <ADDRESS>:<PORT>
Connected to <ADDRESS>:<PORT>
SSL negotiation with <HOSTNAME>
Server certificate verify failed: signer not found
Connected to HTTPS on <HOSTNAME>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Mon, 08 Oct 2018 11:33:07 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
--2018-10-08 04:33:07-- https://<HOSTNAME>/CACHE/sdesktop/hostscan/linux_x64/manifest
Resolving <HOSTNAME> (<HOSTNAME>)... Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Mon, 08 Oct 2018 11:33:07 GMT
X-Frame-Options: SAMEORIGIN
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
<ADDRESS>
Connecting to <HOSTNAME> (<HOSTNAME>)|<ADDRESS>|:<PORT>... connected.
WARNING: The certificate of ‘<HOSTNAME>’ is not trusted.
WARNING: The certificate of ‘<HOSTNAME>’ hasn't got a known issuer.
HTTP request sent, awaiting response... 200 OK
The file is already fully retrieved; nothing to do.
Got 6 files in manifes, locally found 6
/home/<USER>/.cisco/hostscan/bin/cscan: OK
/home/<USER>/.cisco/hostscan/bin/cstub: OK
/home/<USER>/.cisco/hostscan/lib/libcsd.so: OK
/home/<USER>/.cisco/hostscan/lib/libhostscan.so: OK
/home/<USER>/.cisco/hostscan/lib/libinspector.so: OK
/home/<USER>/.cisco/hostscan/lib/tables.dat: OK
Launching: /home/<USER>/.cisco/hostscan/bin/cstub -log error -ticket "<TICKET>" -stub "0" -group "" -host "https://<HOSTNAME>/CACHE" -certhash "<CERTHASH>:"
No value set for `/system/proxy/secure_host'
No value set for `/system/http_proxy/host'
GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
SSL negotiation with <HOSTNAME>
Server certificate verify failed: signer not found
Connected to HTTPS on <HOSTNAME>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Mon, 08 Oct 2018 11:33:09 GMT
X-Frame-Options: SAMEORIGIN
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
SSL negotiation with <HOSTNAME>
Server certificate verify failed: signer not found
Connected to HTTPS on <HOSTNAME>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Mon, 08 Oct 2018 11:33:10 GMT
X-Frame-Options: SAMEORIGIN
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
SSL negotiation with <HOSTNAME>
Server certificate verify failed: signer not found
Connected to HTTPS on <HOSTNAME>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Mon, 08 Oct 2018 11:33:11 GMT
X-Frame-Options: SAMEORIGIN
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
SSL negotiation with <HOSTNAME>
Server certificate verify failed: signer not found
Connected to HTTPS on <HOSTNAME>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Mon, 08 Oct 2018 11:33:12 GMT
X-Frame-Options: SAMEORIGIN
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
Hello,
I've been trying to connect to my workplace's VPN for the first time all
morning and haven't had much luck: it just spins in "refreshing
...wait.html after 1 second" indefinitely. Here's the script I've put
exec sudo openconnect \
--user <USERNAME> \
--cert-expire-warning 15 \
--servercert '<CERTKEY>' \
--os win \
--csd-user <USERNAME> \
--csd-wrapper '/usr/local/bin/csd-wrapper.sh' \
https://<HOSTNAME>
The --servercert argument is what openconnect told me to set it as after
the first time, and csd-wrapper.sh has been updated with the
CSD_HOSTNAME=<HOSTNAME>. The log output is at the bottom of this
message.
I've heard folks saying that if the VPN admins disable Linux support, a
different certificate is needed, and that they grabbed the certificate
from a Windows box via JailBreak. I have JailBreak installed and a
Windows box that has connected to the same VPN host, but I have no idea
what to look for in the certificate store. Does this seem like it might
help? If so, where in the certificate store should I look, and what
should I look for with respect to the certificate name? If not, what
else should I try?
Here's the version info. It's on a Debian 9.5 system that was just set
up a few days ago.
OpenConnect version v7.08
Using GnuTLS. Features present: PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS
Thank you,
- Neil
POST https://<HOSTNAME>/
Connected to <SERVER_IP>:443
SSL negotiation with <HOSTNAME>
Server certificate verify failed: signer not found
Connected to HTTPS on <HOSTNAME>
XML POST enabled
GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
--2018-10-03 04:07:56-- https://<HOSTNAME>/CACHE/sdesktop/hostscan/linux_x64/manifest
Resolving <HOSTNAME> (<HOSTNAME>)... <SERVER_IP>
Connecting to <HOSTNAME> (<HOSTNAME>)|<SERVER_IP>|:443... Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
connected.
WARNING: The certificate of ‘<HOSTNAME>’ is not trusted.
WARNING: The certificate of ‘<HOSTNAME>’ hasn't got a known issuer.
HTTP request sent, awaiting response... 200 OK
The file is already fully retrieved; nothing to do.
Got 6 files in manifes, locally found 6
/home/<USERNAME>/.cisco/hostscan/bin/cscan: OK
/home/<USERNAME>/.cisco/hostscan/bin/cstub: OK
/home/<USERNAME>/.cisco/hostscan/lib/libcsd.so: OK
/home/<USERNAME>/.cisco/hostscan/lib/libhostscan.so: OK
/home/<USERNAME>/.cisco/hostscan/lib/libinspector.so: OK
/home/<USERNAME>/.cisco/hostscan/lib/tables.dat: OK
Launching: /home/<USERNAME>/.cisco/hostscan/bin/cstub -log error -ticket "<TICKET>" -stub "0" -group "" -host "https://<HOSTNAME>/CACHE" -certhash "<CERTHASH>"
No value set for `/system/proxy/secure_host'
No value set for `/system/http_proxy/host'
GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
SSL negotiation with <HOSTNAME>
Server certificate verify failed: signer not found
Connected to HTTPS on <HOSTNAME>
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
Neil E. Hodges
2018-10-16 01:30:10 UTC
Permalink
I think the trouble has something to do with cstub. Here's the full
log: https://ptpb.pw/7vvE
[Mon Oct 15 18:22:11.449 2018][cstub]Function: in_memory_cert_verify_callback Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 1797 Level: trace :: pre-verify(0)
[Mon Oct 15 18:22:11.449 2018][cstub]Function: in_memory_cert_verify_callback Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 1886 Level: trace :: CurrentDepth(1) Certificate CN(cdca) IssuerCN(<ROOT_CA>)
[Mon Oct 15 18:22:11.449 2018][cstub]Function: in_memory_cert_verify_callback Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 1888 Level: error :: verify_rc(0) as Error is occurred at CurrentDepth(1). errcode(20) errval(unable to get local issuer certificate)
[Mon Oct 15 18:22:11.449 2018][cstub]Function: setup_in_memory_verification_and_verify Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 2014 Level: error :: Failed to validate Server(<HOSTNAME>) certificates, verify_rc(0)
[Mon Oct 15 18:22:11.449 2018][cstub]Function: hostscan_ssl_verify_callback Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 2150 Level: debug :: Server verification result(Fail)
[Mon Oct 15 18:22:11.449 2018][cstub]Function: hs_transport_curl_get Thread Id: 0x7F7E580 File: hs_transport_curl.c Line: 3472 Level: debug :: libcurl error: Error
[Mon Oct 15 18:22:11.449 2018][cstub]Function: hs_transport_get Thread Id: 0x7F7E580 File: hs_transport.c Line: 1456 Level: trace :: sending get request failed
[Mon Oct 15 18:22:11.450 2018][cstub]Function: hs_download_file_s Thread Id: 0x7F7E580 File: hs_download.c Line: 515 Level: error :: unable to contact peer: (https://<HOSTNAME>).
[Mon Oct 15 18:22:11.450 2018][cstub]Function: update_file Thread Id: 0x7F7E580 File: update.c Line: 296 Level: error :: unable to download to library: /home/<USER>/.cisco/hostscan/lib/libcsd.so
[Mon Oct 15 18:22:11.450 2018][cstub]Function: update_library Thread Id: 0x7F7E580 File: update.c Line: 375 Level: warn :: unable to update library: libcsd.so
[Mon Oct 15 18:22:11.450 2018][cstub]Function: verify_libcsd Thread Id: 0x7F7E580 File: main.c Line: 470 Level: error :: unable to locate libcsd.
[Mon Oct 15 18:22:11.450 2018][cstub]Function: hs_cache_reset Thread Id: 0x7F7E580 File: hs_cache.c Line: 56 Level: debug :: Resetting cache for '0'
[Mon Oct 15 18:22:11.450 2018][cstub]Function: hs_transport_free Thread Id: 0x7F7E580 File: hs_transport.c Line: 595 Level: trace :: de-initialization
[Mon Oct 15 18:22:11.450 2018][cstub]Function: hs_transport_free Thread Id: 0x7F7E580 File: hs_transport.c Line: 639 Level: trace :: de-initialization done
[Mon Oct 15 18:22:11.450 2018][cstub]Function: halt Thread Id: 0x7F7E580 File: main.c Line: 303 Level: info :: goodbye (-12)
I have <ROOT_CA> installed locally and can do a wget/curl on the VPN
host without issue, so why is cstub failing to verify the host?

- Neil
+ sh connect.sh
POST https://<HOSTNAME>/
Attempting to connect to server <ADDRESS>:<PORT>
Connected to <ADDRESS>:<PORT>
SSL negotiation with <HOSTNAME>
Server certificate verify failed: signer not found
Connected to HTTPS on <HOSTNAME>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Keep-Alive
Date: Mon, 08 Oct 2018 11:33:07 GMT
X-Frame-Options: SAMEORIGIN
X-Aggregate-Auth: 1
HTTP body chunked (-2)
XML POST enabled
GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
--2018-10-08 04:33:07-- https://<HOSTNAME>/CACHE/sdesktop/hostscan/linux_x64/manifest
Resolving <HOSTNAME> (<HOSTNAME>)... Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Mon, 08 Oct 2018 11:33:07 GMT
X-Frame-Options: SAMEORIGIN
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
<ADDRESS>
Connecting to <HOSTNAME> (<HOSTNAME>)|<ADDRESS>|:<PORT>... connected.
WARNING: The certificate of ‘<HOSTNAME>’ is not trusted.
WARNING: The certificate of ‘<HOSTNAME>’ hasn't got a known issuer.
HTTP request sent, awaiting response... 200 OK
The file is already fully retrieved; nothing to do.
Got 6 files in manifes, locally found 6
/home/<USER>/.cisco/hostscan/bin/cscan: OK
/home/<USER>/.cisco/hostscan/bin/cstub: OK
/home/<USER>/.cisco/hostscan/lib/libcsd.so: OK
/home/<USER>/.cisco/hostscan/lib/libhostscan.so: OK
/home/<USER>/.cisco/hostscan/lib/libinspector.so: OK
/home/<USER>/.cisco/hostscan/lib/tables.dat: OK
Launching: /home/<USER>/.cisco/hostscan/bin/cstub -log error -ticket "<TICKET>" -stub "0" -group "" -host "https://<HOSTNAME>/CACHE" -certhash "<CERTHASH>:"
No value set for `/system/proxy/secure_host'
No value set for `/system/http_proxy/host'
GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
SSL negotiation with <HOSTNAME>
Server certificate verify failed: signer not found
Connected to HTTPS on <HOSTNAME>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Mon, 08 Oct 2018 11:33:09 GMT
X-Frame-Options: SAMEORIGIN
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
SSL negotiation with <HOSTNAME>
Server certificate verify failed: signer not found
Connected to HTTPS on <HOSTNAME>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Mon, 08 Oct 2018 11:33:10 GMT
X-Frame-Options: SAMEORIGIN
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
SSL negotiation with <HOSTNAME>
Server certificate verify failed: signer not found
Connected to HTTPS on <HOSTNAME>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Mon, 08 Oct 2018 11:33:11 GMT
X-Frame-Options: SAMEORIGIN
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
SSL negotiation with <HOSTNAME>
Server certificate verify failed: signer not found
Connected to HTTPS on <HOSTNAME>
Got HTTP response: HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Cache-Control: no-cache
Pragma: no-cache
Connection: Close
Date: Mon, 08 Oct 2018 11:33:12 GMT
X-Frame-Options: SAMEORIGIN
HTTP body chunked (-2)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
Hello,
I've been trying to connect to my workplace's VPN for the first time all
morning and haven't had much luck: it just spins in "refreshing
...wait.html after 1 second" indefinitely. Here's the script I've put
exec sudo openconnect \
--user <USERNAME> \
--cert-expire-warning 15 \
--servercert '<CERTKEY>' \
--os win \
--csd-user <USERNAME> \
--csd-wrapper '/usr/local/bin/csd-wrapper.sh' \
https://<HOSTNAME>
The --servercert argument is what openconnect told me to set it as after
the first time, and csd-wrapper.sh has been updated with the
CSD_HOSTNAME=<HOSTNAME>. The log output is at the bottom of this
message.
I've heard folks saying that if the VPN admins disable Linux support, a
different certificate is needed, and that they grabbed the certificate
from a Windows box via JailBreak. I have JailBreak installed and a
Windows box that has connected to the same VPN host, but I have no idea
what to look for in the certificate store. Does this seem like it might
help? If so, where in the certificate store should I look, and what
should I look for with respect to the certificate name? If not, what
else should I try?
Here's the version info. It's on a Debian 9.5 system that was just set
up a few days ago.
OpenConnect version v7.08
Using GnuTLS. Features present: PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS
Thank you,
- Neil
POST https://<HOSTNAME>/
Connected to <SERVER_IP>:443
SSL negotiation with <HOSTNAME>
Server certificate verify failed: signer not found
Connected to HTTPS on <HOSTNAME>
XML POST enabled
GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
--2018-10-03 04:07:56-- https://<HOSTNAME>/CACHE/sdesktop/hostscan/linux_x64/manifest
Resolving <HOSTNAME> (<HOSTNAME>)... <SERVER_IP>
Connecting to <HOSTNAME> (<HOSTNAME>)|<SERVER_IP>|:443... Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
connected.
WARNING: The certificate of ‘<HOSTNAME>’ is not trusted.
WARNING: The certificate of ‘<HOSTNAME>’ hasn't got a known issuer.
HTTP request sent, awaiting response... 200 OK
The file is already fully retrieved; nothing to do.
Got 6 files in manifes, locally found 6
/home/<USERNAME>/.cisco/hostscan/bin/cscan: OK
/home/<USERNAME>/.cisco/hostscan/bin/cstub: OK
/home/<USERNAME>/.cisco/hostscan/lib/libcsd.so: OK
/home/<USERNAME>/.cisco/hostscan/lib/libhostscan.so: OK
/home/<USERNAME>/.cisco/hostscan/lib/libinspector.so: OK
/home/<USERNAME>/.cisco/hostscan/lib/tables.dat: OK
Launching: /home/<USERNAME>/.cisco/hostscan/bin/cstub -log error -ticket "<TICKET>" -stub "0" -group "" -host "https://<HOSTNAME>/CACHE" -certhash "<CERTHASH>"
No value set for `/system/proxy/secure_host'
No value set for `/system/http_proxy/host'
GET https://<HOSTNAME>/+CSCOE+/sdesktop/wait.html
SSL negotiation with <HOSTNAME>
Server certificate verify failed: signer not found
Connected to HTTPS on <HOSTNAME>
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
Loading...