Author: Musab Osman
Problem symptom
- When trying to access firewall from Safari we get the error message "NSURLErrorDomain:-1202"
- When trying to access VPN from OnConnect we encounter a Certificate trust error "Server certificate could not be validated. Try adding the certificate to keychain"
Solution
Big Sur is requiring a self-signed certificate with alternative DNS name which can be created with the following steps:
- Access the firewall WebUI using Chrome or Firefox browser and if encountering any certificated issue write blindly "thisisunsafe" and press enter and then we will be able to see the login page if we wrote the text correctly.
- By write blindly, we mean that when clicking on any place on the page and then type the text "thisisunsafe" on the keyboard. We won’t be able to see the typing text on your screen, we just have to execute it by pressing Enter when done (a hidden command).
- After login Go to Objects→ GENERAL→ Key Ring and click on add certificate, and then on configure under General Certificate, change the Certificate type to self-signed, then enter a proper subject name and subject alternative name as "*.clavister.com", change the public key type to RSA instead of EC. Optionally it is also possible to increase the certificate validation, when done click on Generate.
- Now we need to configure the new certificate to be used by the firewall for WebUI login and SSL VPN connection as following:
- Go to System→ Remote Management→ Advanced Settings. Under WebUI→ HTTPS Certificate and change the certificate to the new self-signed certificate that was created.
- Deploy the configuration change.
- From MacOS device were the SSL client is installed try to access the firewall with HTTPS using Safari browser instead of Chrome and Firefox. We will get "This connection is not private" message, click on show details and then click on visit this website and the certificate will be added to the keychain login certificates automatically.
- Start the client by running the login with SSL VPN towards the firewall.
Note: It is not possible to access the firewall using Safari browser on Mac Big Sur with the default “HTTPSAdminCert”.
Related articles
Clavister (Classic) SSL VPN vs OneConnect (OpenConnect based) SSL VPN
3 Jun, 2022 oneconnect openconnect sslvpn
3 Jun, 2022 oneconnect openconnect sslvpn
Configure the Android OpenConnect client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect android core
23 Aug, 2022 sslvpn openconnect oneconnect android core
Configure Clavister OneConnect for Windows towards Clavister NetWall
29 Oct, 2021 sslvpn openconnect oneconnect windows
29 Oct, 2021 sslvpn openconnect oneconnect windows
Configure Linux OpenConnect towards Clavister NetWall
5 Mar, 2021 sslvpn openconnect oneconnect linux core
5 Mar, 2021 sslvpn openconnect oneconnect linux core
Configuring SSL-VPN / OneConnect server on secondary Firewall IP address
8 Apr, 2021 core sslvpn oneconnect interfaces arp
8 Apr, 2021 core sslvpn oneconnect interfaces arp
OneConnect VPN certificate not trusted
18 Mar, 2024 onetouch sslvpn oneconnect troubleshoot certificate
18 Mar, 2024 onetouch sslvpn oneconnect troubleshoot certificate
Changing the certificate used by cOS Core's SSL VPN client/server
25 Nov, 2022 core configuration sslvpn management
25 Nov, 2022 core configuration sslvpn management
Configure the OpenConnect-GUI client towards Clavister NetWall
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core
23 Aug, 2022 sslvpn openconnect oneconnect macos windows linux core