Hi
On macOS we get “Error: self signed certificate in certificate chain” when trying to import vpn profile.
The self signed certificate is trusted by the OS and do not give errors in the bowser the root CA and trust is pushed using MDM
How do we get the client to understand OS trusted CA’s
If the certificate is invalid it should be imported with the IP address. I don’t think support to handle custom certificates added to the OS will be added.
So if Pritunl is not using the OS trust store what is then used, and can a root CA be added into where the CA’s is located?
That request uses the NodeJS http library, I believe NodeJS uses it’s own CA roots. The code has a regex in pritunl-client-electron/client/app/Request.ts to allow unverified requests when it is an IP address.
There are also requests made by the background service in Golang but most of these requests are made without verification. Most Pritunl servers run with untrusted certificates so it was designed to handle this. Instead there are a few layers of encryption + authorization with NaCl, SHA512-HMAC and RSA-4096. Once you have the profile imported the unverified certificate shouldn’t prevent any other features from working. The import process doesn’t yet have the trusted server keys to perform an alternative verification so it is required for that step.