Hi, it seems to me that SSTP VPNs are broken at the moment with gnome and KDE.
I had a working SSTP VPN to the network of my university. As of recently I’ve got the (not) very helpful error message from KDE saying: “secret missing” when trying to connect.
As the settings haven’t been changed since the last working time, and they are correct according to the universitys help page, i guess that SSTP got sometime broken in the last few months. I don’t use it that often, so i can’t say an exact time sadly, but i would say sometime in the last 3 months.
My flatmate from the same university has the same issue with endeavour os, so it’s not a manjaro specific issue I would say.
It’s also the same issue as in this thread, also the same university. Ofc someone could then say “Huh, maybe it’s the Universitys fault then”. Legitimate concern. But i don’t think so, as their status page doesn’t say anything about VPN issues at the moment.
With gnome i have the problem that it’s not able to the “VPN connection editor”, so i can’t try from there.
Both systems have sstp-client and network-manager-sstp from the repositories installed, and are up to date (28th August 2022) on stable branch.
The required parameters as stated by the University are
These settings were enough to connect in the past, no certificates or something else required.
The VPN connection is indeed working with Windows from the same machine as the KDE system (dual boot) with the same settings. So the universitys vpn server is online, and the settings are correct. Therefore i suspect that sstp-client or network-manager-sstp are broken.
It would be very nice if someone else with another sstp vpn connection could test this.
At least you use
sstpc to troubleshoot it:
instead of waiting if someone will test it.
Thx for your answer.
nm-connection-editor is already installed on both systems by default.
sstpc says “Verification of server certificate failed, (-2)” for the gnome and the KDE system. Just for clarification, these are two different computers. Quick googling also didn’t clear up what the -2 means in this context and a change of --log-level between 0 and 4 did not generate more output, unfortunately. I’ve also not found useful information from searching for this error message.
I don’t know which certificate sstpc wants to check and validate. The University doesn’t provide one, and none seems to be needed for other OS’s like Win, Mac or Android.
Probably it is this:
$ LANG=C errno 2
ENOENT 2 No such file or directory
Probably the ROOT CA was removed for some unknown reason which is used on the Windows Server.
Maybe look if the ROOT CA is there which is needed.
I’ve used the commands in combination with variations of grep Root, and I’m not sure which certificate to look for. Should there be a certificate with the name “ROOT CA”?
The website of the university is uni-tuebingen.de, so i tried to look for a certificate that complements the website ssl certificate. Their Issuer seems to be T-TeleSec. I’ve found the accompaning T-TeleSec GlobalRoot Class 2 in my trust list, so this one exist. Unfortunately the SSL-Certificate of the website doesn’t seem to cover the vpn subdomain.
Is there some other pattern i should look out for?
I would look at Windows and figure which certificate is used. Then copy it to Linux and import it.
sudo cp /path/to/win_ca.crt /usr/local/share/ca-certificates/win-ca.crt
or maybe like that:
sudo trust anchor --verbose --store /path/to/win_ca.crt
Maybe it helps somehow, but well I can only guess what the problem could be.
Oh no. Windows SSL Storage seems to be weird. I will definitely need a new day to look into that. Thx, I will report again.
Quick Edit: I’m on Vacation and won’t be able to pursuit this error further until mid September, so please don’t close this topic until then, even though nothings coming i promise updates after that