I needed to use Cisco AnyConnect to connect to a client's VPN server. Whenever I'd start up the AnyConnect GUI though (server hostname already entered in the server textbox), it would complain about the server cert being untrusted.
There are a few online posts about symlinking things from firefox into the correct system lib directories for the correct linux arch.
I didn't want to do that (because I wasn't clear what else would break), so I ran strace -f on the vpn GUI and looked for interesting open* calls. It turns out there are open calls to, e.g., ""/root/.mozilla/firefox/". That happens before the open calls on /opt/.cisco/certificates/ca*.
On this box (an lxc instance just for this vpn) I'd never run firefox as root so there was no .mozilla/firefox directory at all. I started up firefox as root but didn't browse anywhere and after that the VPN no longer warns about the cert being untrusted.
The Cisco anyconnect software is installed from a self-uncompressing shell script, so it's not going to know where the system it's installed on stores its certs, so I guess it just punts and looks in root's firefox (plus a few other places that aren't set correctly for it on Ubuntu) for certs.