-
Notifications
You must be signed in to change notification settings - Fork 41
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feedback after latest improvements #21
Comments
@cardonator I commited Python3 fixes and new feature (to support newer openconnect version). Is everything working as expected now? P.S. Please check modified |
Thanks. I will take a look. For something like the csd wrapper, should I put that in the openconnect args? |
Yes, that's correct. |
Getting
After an SMS or an interactive TOTP. I put my gateway in the same as before. Also, I tried doing the initial TOTP secret for okta and it doesn't seem to work. I'm guessing it's the f=xxxxxxxxxxxxxxxxxxxx argument in the QR code. Manjaro + Openconnect 8.05, python 3.8.2, no unbound This worked with the previous version. |
What is the actual exception you got? It should be right after the traceback. |
@gunslingerfry error doesn't seem to be related to config or anything You described. seems like a general issue. It fails when trying to write certificate to temporary file or file You specified in configuration. But, yes, I would need to see a full error message. |
Whoops. Not sure how I missed that. |
@gunslingerfry could You try latest-commit and see if that works? If not, please, provide a full error. |
Thanks for merging my changes and improving it even further! Wonderful that we are now reducing the variety of forks! I am just trying to use your new, consolidated version and to abandon my own. I saw that in commit 9eea095 you reworked the certificate parts. Now we have a From reading the code I see that you use the This is confusing. The python part is connecting to the vpn_url (portal & Gateway) and also to the okta_url (3rd Party service). Especially in my case only Is Okta really checking anyones client certificates? Is that a feature? At least for me they never asked for any client certificates. If you would like to keep the newliy introduced separation I would suggest to rename At least having to set |
One more, sorry ... is not working for me. for some reason it is no separate command? Commenting out the two lines makes openconnect start & connect! It seems to be needed now as the file is not automagically deleted anymore: |
Just to document: What I needed to do to make your merged version work for me is:
|
Yes, I want to merge everything, improve it, get You guys test it, and release 1.00, so it can be referenced.
I was going with comment from aclindsa#1 (comment) ... and trying to make it future-proof. So, basically, we have a client certificate for connecting to OKTA (python requests). And other client certificate to which authenticate portal/gateway with (which is passed in command-line to openconnect). They are two different certificates, right?
I see the issue now. We have 5 different connections:
I was going with same naming scheme as _url. Only thing seem to fix code, where to use each certificate. Currently it wrongly uses Do You agree? |
Good point. Didn't test this part. Will check and issue fix.
File is not deleted, because it is passed as command-line option ( Unfortunately our VPN doesn't have client certificates and I can only go by pull request comments and sane ideas, but not able to test. Do You have client certificate VPN You can test with? |
I don't even get this worked for You before. I commented my issues in pull request. Gateway is named and can be passed (I will rework it to be in such way) either in command-line as How did You execute it before and how did it work? If it connected directly to gateway (_url), fine, but then, when it passed in pipe, e.g., Edit: Ok, got it. You authenticated against gateway and therefore, passing anything after |
@arthepsy missed your reply. I'll try to check this today. |
@coldcoff do You know what certificates are returned in "getconfig" request, where responding SAML could contain |
Looks like you've got 'command' instead of the actual command at line 955.
|
Wow. You don't have |
I do have command it looks like. (Sorry, I've never used that utility before)
|
I'm slightly above the python experience level of 'knows what python is' but I tried |
@gunslingerfry seems interesting. Would like to reproduce such error. Can You share what is the shell, where You execute that script? Never seen such issue. Anyhow, I will removed that part and re-worked it in a different way. Please, re-check. |
@coldcoff @gunslingerfry @cardonator I've made another several rounds of improvements. Would be nice if You could check it out and give feedback. Trying to release 1.00 ;) |
Yes. at least they could be. Or only one service uses certificates.
Yes.
In the previous code the temp file existed as long as the python object holding/referencing it existed (which is basically the runtime of
Yes. Happy to test for you anytime!
For me it's the certs that both, portal and gateway use. In fact no new content compared to what is already in
Will do. |
I reworked it to delete it automatically if
Would be awesome! |
At least I always understand "cli" as "commandline", not "client" in my abbreviation 1st level cache. |
@lvml - could you please test as well and give your opinion? |
Yay, would be great. Also, not keeping different forks. I'll test one feature (gpg) in Your pull request and then ship it. |
Just wanted to let you know that the latest version doesn't work with my portal at all now :) |
Oh, come on :) What's the issue? Can't imagine. Please, provide a error message and description. |
Haha! I was trying to figure out what's going on but this one keeps stumping me. Basically, every time I try to connect I'm getting that 512 error again.
|
For reference, if I switch back to coldcoff's master PR, I am able to connect without issue. I am also able to connect on the merge commit from #19. Something since then has broken my ability to connect. |
@cardonator where is this error from? Seems packed from multiple sources. Doesn't look like either Python script or openconnect output. Could You reformat it a bit? What's the command-line and printf pipe contents? Your description seems that it's somehow providing wrong cookie to portal or gateway (don't know Your config) for some reason. Can't think of reason, though. What's your config, i.e., are You connecting to portal, gateway, doing another dance, etc? Is |
@arthepsy Alright. I tested with the current head (b637ea9) with SMS, push, and TOTP entry and all work perfectly. THANKS!!! The vpnc script is failing to set a route of some sort, the ip command returns |
@gunslingerfry awesome! I was thinking it should be pretty much perfect now. |
This is literally every message that is printed out after finishing the Okta handshake. I can set execute to 0 to see what command it constructed. It might be helpful to note that I was also always getting this error on this repo without coldcoff changes prior to merge, so this is the same behavior I had over a week ago.
my config looks like this:
To clarify, this exact config works on coldcoff-master but not on actual master. I am vaguely remembering something, though. I did have an issue at one point where the settings were making the cookie get passed as |
Ok, I'm wrong, it's not the vpnc script, I think openconnect is doing this. I'll check in at the openconnect repo to see if that's been reported.
|
I would suggest creating simple
|
Sorry to keep posting in here in real-time....... I think the last paragraph of my previous message is on to something. Here are the two connect commands generated by the different versions: coldcoff:
master:
The top command connects fine, the bottom one fails with the message above every time. |
Interesting. I see something completely off:
Yes, seem that You haven't updated Your config. Please, check current If You want to directly connect to gateway, provide |
Yes, as You see, it's providing |
Hmm, yeah, I said gateway_url but that is actually the vpn_url... |
Sorry to conflate two issues. No worries on the vpnc script/openconnect thing, just doing raw openconnect commands with no vpnc script will cause that error so it's definitely not anything you are doing. The invalid user name and logout failed message is returned only when using the gp-okta script though. Raw openconnect commands work fine. |
@cardonator there are types 3 connections:
Please, check Your config file for correct URL and setting usage. |
You're right, @arthepsy I was being dumb 👍 I did need to define the gateway_url, was missing that in the new config because I was used to how it was originally implemented. Once I added that in, it worked just fine. What I find weird in my config is that I can't auth with the portal and then connect to a gateway even though that's how the first party app works. But I guess I shouldn't look a gift horse in the mouth 😄 |
Yes, you can. It's how it's working in default config mode. It's how it's working for me. Just provide |
What do You mean by "raw openconnect commands"? Could You elaborate (go ahead and open another issue)? Maybe, just maybe, it's because You're using openconnect before 8.05 and providing cookie twice somehow affects |
Actually, somebody broke how everything should work (for everybody authenticating to portal), i.e., |
That's exactly what happened. Unfortunately, my primary gateway name is also the URL for the portal so I don't know how that ends up confusing things. Adding the portal URL to the gateway_url config fixed it, but it is pretty confusing how I can't do the portal->gateway dance that the regular GP client does. At any rate, I'm now ready to give my sign off on this release! 👍 |
I feel like this is a config issue. Or very interesting edge case :) Would like to figure it out, either way. Is there some IM (irc, discord, etc) I could catch You to work this out?
Thanks :) |
Sure, I'm on Discord. Sir_Brizz#5340. |
Message from Discord: "Hm, didn't work. Double check that capitalization, spelling, any spaces, and numbers are correct." |
Weird. Oh apparently the whole left side is lowercase... maybe that will work? |
Worked. Pending friend request. |
What is your nick? for some reason I have 49 pending friend requests and it doesn't tell which ones are new. |
@cardonator sorry, had a wisdom teeth removal, was a bit off. my nick is moo#2174. |
No description provided.
The text was updated successfully, but these errors were encountered: