Error establishing the CSTP channel

[DeduskaPihto]

docker config:

docker run --name ocserv\
    --sysctl net.ipv4.ip_forward=1\
    --cap-add NET_ADMIN\
    --security-opt no-new-privileges\
    -p 443:443 -p 443:443/udp\
    -v /home/****/.acme.sh/****.freeddns.org/cert-key.pem:/etc/ocserv/certs/server-key.pem\
    -v /home/****/.acme.sh/****.freeddns.org/fullchain.pem:/etc/ocserv/certs/server-cert.pem\
    -d quay.io/aminvakil/ocserv

cert-key.pem & fullchain.pem - valid from Let's Encrypt

Log OpenConnect-GUI 1.5.3:

2025-01-03 14:18:47 | 14dc | OpenConnect-GUI VPN client (1.5.3-101-gfcd48f0) logging started...
2025-01-03 14:18:49 |  e14 | POST https://****.freeddns.org/
2025-01-03 14:18:49 |  e14 | Attempting to connect to server 185.121.14.***:443
2025-01-03 14:18:49 |  e14 | Connected to 185.121.14.***:443
2025-01-03 14:18:49 |  e14 | There was a non-CA certificate in the trusted list: OU=Copyright (c) 1997 Microsoft Corp.,OU=Microsoft Corporation,CN=Microsoft Root Authority.
2025-01-03 14:18:49 |  e14 | There was a non-CA certificate in the trusted list: C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority.
2025-01-03 14:18:49 |  e14 | There was a non-CA certificate in the trusted list: CN=Root Agency.
2025-01-03 14:18:49 |  e14 | SSL negotiation with ****.freeddns.org
2025-01-03 14:18:49 |  e14 | Connected to HTTPS on ****.freeddns.org with ciphersuite (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
2025-01-03 14:18:49 |  e14 | Got HTTP response: HTTP/1.1 200 OK
2025-01-03 14:18:49 |  e14 | Set-Cookie: webvpncontext=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure; HttpOnly
2025-01-03 14:18:49 |  e14 | Content-Type: text/xml
2025-01-03 14:18:49 |  e14 | Content-Length: 306
2025-01-03 14:18:49 |  e14 | X-Transcend-Version: 1
2025-01-03 14:18:49 |  e14 | HTTP body length:  (306)
2025-01-03 14:18:49 |  e14 | XML POST enabled
2025-01-03 14:18:49 |  e14 | Please enter your username.
2025-01-03 14:18:49 |  e14 | Text form: username
2025-01-03 14:18:49 |  e14 | POST https://****.freeddns.org/auth
2025-01-03 14:18:49 |  e14 | Got HTTP response: HTTP/1.1 200 OK
2025-01-03 14:18:49 |  e14 | Set-Cookie: webvpncontext=ADZ/M6153CcJHH99UwTsc6w9O5zFH1ajYpELVWgLVyE=; Max-Age=3600; Secure; HttpOnly
2025-01-03 14:18:49 |  e14 | Content-Type: text/xml
2025-01-03 14:18:49 |  e14 | Content-Length: 310
2025-01-03 14:18:49 |  e14 | X-Transcend-Version: 1
2025-01-03 14:18:49 |  e14 | HTTP body length:  (310)
2025-01-03 14:18:49 |  e14 | Please enter your password.
2025-01-03 14:18:49 |  e14 | Password form: password
2025-01-03 14:18:52 |  e14 | POST https://****.freeddns.org/auth
2025-01-03 14:18:53 |  e14 | Got HTTP response: HTTP/1.1 200 OK
2025-01-03 14:18:53 |  e14 | Connection: Keep-Alive
2025-01-03 14:18:53 |  e14 | Content-Type: text/xml
2025-01-03 14:18:53 |  e14 | Content-Length: 189
2025-01-03 14:18:53 |  e14 | X-Transcend-Version: 1
2025-01-03 14:18:53 |  e14 | Set-Cookie: webvpncontext=ADZ/M6153CcJHH99UwTsc6w9O5zFH1ajYpELVWgLVyE=; Secure; HttpOnly
2025-01-03 14:18:53 |  e14 | Set-Cookie: webvpn=<elided>; Secure; HttpOnly
2025-01-03 14:18:53 |  e14 | Set-Cookie: webvpnc=; expires=Thu, 01 Jan 1970 22:00:00 GMT; path=/; Secure; HttpOnly
2025-01-03 14:18:53 |  e14 | Set-Cookie: webvpnc=bu:/&p:t&iu:1/&sh:FA8107AE1E3BFC0F7A46A9FF6036C718230A9B10; path=/; Secure; HttpOnly
2025-01-03 14:18:53 |  e14 | HTTP body length:  (189)
2025-01-03 14:18:53 |  e14 | Got inappropriate HTTP CONNECT response: HTTP/1.1 401 Cookie is not acceptable
2025-01-03 14:18:53 |  e14 | Error establishing the CSTP channel
2025-01-03 14:18:53 | 14dc | Disconnected

ADD
Launched with the parameter :
docker run --name ocserv --sysctl net.ipv4.ip_forward=1 --cap-add NET_ADMIN --security-opt no-new-privileges -p 443:443 -p 443:443/udp -e CA_CN="My CA" -e CA_ORG="My Corp" -e CA_DAYS=3650 -d quay.io/aminvakil/ocserv
the result is the same

tested on debian 12, ubuntu 24.04

[aminvakil]

It's because of HTTP/1.1 401 Cookie is not acceptable that CSTP channel does not get established.

#80