Environment
Novell Access Manager 3.X SSLVPN Server
Situation
SSLVPN server setup with Kiosk mode enabled
The test-stunnel certificate has been assigned to the SSLVPN cert store
All users can connect to the SSLVPN server in Kiosk mode, and successfully access protected back
end applications.
One morning, about 10% of users reported issues connecting to the SSLVPN server. Instead of getting
the green 'connected' message, the users received the following message:
'AM#1506 : SSLVPN Server certificate validation failed'
Resolution
Make sure that all workstations have their time set correctly ie. pointing to an NTP server.
The certificate assigned to the Kiosk mode SSLVPN server is the test-stunnel cert. The s-tunnel certificate (and all test-* certificates) are automatically renewed within 30 days of the certificate expiring. When the certificate was renewed, the NotValidBefore certificate attribute included the time from 2 days ago. However, the client host's time was more than 2 days out, and the cert validation process failed. Pointing the host to a local NTP server addressed the issue.
The certificate assigned to the Kiosk mode SSLVPN server is the test-stunnel cert. The s-tunnel certificate (and all test-* certificates) are automatically renewed within 30 days of the certificate expiring. When the certificate was renewed, the NotValidBefore certificate attribute included the time from 2 days ago. However, the client host's time was more than 2 days out, and the cert validation process failed. Pointing the host to a local NTP server addressed the issue.