2

Our company is using self-signed SonicWall for firewall facility. And remote clients needs to be connect to internal network through VPN via NetExtender client.

Some of the clients are using Linux OS without Desktop Environment on purpose.

There is an issue occurring with NetExtender Client at those no Desktop Environment computers on each connection attempt.

On each connection attempt NetExtender client need to be approved for this question:

Warning: self signed certificate

Do you want to proceed? (Y:Yes, N:No, V:View Certificate)

I read about self-signed certificates from this link

Than I try to install /home/$USER/.netExtenderCerts/PUB_CERT/ca-bundle.crt file by copying to /usr/local/share/ca-certificates and using update-ca-certificiates command.

# cp /home/$USER/.netExtenderCerts/PUB_CERT/ca-bundle.crt /usr/local/share/ca-certificates
# update-ca-certificates 
Updating certificates in /etc/ssl/certs...
1 added, 0 removed; done.

After applying this method and rebooted the OS, NetExtender Client still hanging at same question. This were preventing to build automated connection.

How could I prevent netExtender client to asking this question?

Community
  • 1
Sencer H.
  • 562
  • 1
  • 8
  • 17

4 Answers4

3

To prevent NetExtender's certificate verification dialogue, you can use the undocumented switch "--always-trust"

For example:

netExtender -u user -p password -d 'domain' --always-trust host

Tested on Linux, but I'm not sure about NetExtender Windows CLI.

Note: as commented by Håkan Lindqvist, take into consideration that this will open up for MITM attacks.

Alfredo Prada Giorgi
  • 41
  • 2
2

Håkan Lindqvists comment is on the money.

Only the certificates contained in ~/.netExtenderCerts/PUB_CERT/ca-bundle.crt seem to be evalutated by netExtender. The good news is this is a text file containing Base64 encoded certificates, so it's quite straightforward to add yours to the file.

First you need to get a copy of the certificate. You can do this by opening the vpn server address in a browser, (right-)clicking on the padlock icon next to the url, inspect the certificate and then exporting it. Save the certificate as Base64-encoded ASCII, single certificate or something equivalent.

I recommend backing up the original ca-bundle.crt file, just in case the next step fails or you wish to revert your certificates.

Finally, combine the exported certificate and backup into a single file and save as ca-bundle.crt

Disclaimer: I found no documentation for this, so my solution is based on experimentation

LarsOH
  • 21
  • 2
1
#! /bin/bash
echo Y | netExtender -u user -p password -d 'domain' host
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
Vlad
  • 21
  • 1
0

The netExtender GUI creates /home/$USER/.netextender with contents in the following format:

[trustedcerts]
<ip>:<port>=<fingerprint>

Create this file manually and replace the ip, port, and fingerprint with your values. (To get the fingerprint, type V to view the certificate, then copy all of SHA1[...].)

blackbox
  • 1