Latest Mozilla ca-certificates package breaks cstub
Today I came across this error and an endless "Refreshing" loop:
CSD script '/home/vpn/.cisco/csd-wrapper.sh' returned non-zero status: 243
Authentication may fail. If your script is not returning zero, fix it.
Future versions of openconnect will abort on this error.
GET https://vpn.mycompany.com/+CSCOE+/sdesktop/wait.html
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.mycompany.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.mycompany.com
Connected to HTTPS on vpn.mycompany.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.mycompany.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.mycompany.com
Connected to HTTPS on vpn.mycompany.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.mycompany.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.mycompany.com
Connected to HTTPS on vpn.mycompany.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.mycompany.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.mycompany.com
Connected to HTTPS on vpn.mycompany.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
Refreshing +CSCOE+/sdesktop/wait.html after 1 second...
GET https://vpn.mycompany.com/+CSCOE+/sdesktop/wait.html
SSL negotiation with vpn.mycompany.com
Connected to HTTPS on vpn.mycompany.com with ciphersuite (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
Not knowing exactly why this may have started, I looked at my dnf history, and sure enough the last update was this:
~ $ sudo dnf history info 714
Transaction ID : 714
Begin time : Thu 01 Jul 2021 06:17:34 AM MST
Begin rpmdb : 2004:ff930485d3cb11002a156e02003572ad370da974
End time : Thu 01 Jul 2021 06:17:36 AM MST (2 seconds)
End rpmdb : 2004:89c36884a3011bd8ed67d1f6052ed4ee897a199f
User : System <unset>
Return-Code : Success
Releasever : 33
Command Line :
Comment :
Packages Altered:
Upgrade ca-certificates-2021.2.50-1.0.fc33.noarch @updates
Upgraded ca-certificates-2020.2.41-4.fc33.noarch @@System
Downgrading to ca-certificates-2020.2.41* resolved the issue for me, but I'm wondering what I can do to prevent this from being an issue for others. This is the version of the software I'm using:
~ $ openconnect --version
OpenConnect version v8.10
Using GnuTLS 3.6.16. Features present: TPM, TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse
~ $ uname -a
Linux localhost.localdomain 5.12.13-200.fc33.x86_64 #1 SMP Wed Jun 23 16:20:26 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
Edited by Joseph Spencer