Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Server certificate verification

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 3 Posters 17.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      freetomfr
      last edited by

      Hi everyone, I have a problem with my OpenVPN Connection. I used pfsense 2.0 BETA 5 and the GUI to export a package containing all a users need to connect.

      It's works, the connection is done but I have a warning :

      WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

      I try to do what I found on the documentation by adding ns-cert-type server option to the config file but I have an SSL error with it :

      Wed Feb 09 11:44:45 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
      Wed Feb 09 11:44:45 2011 TLS Error: TLS object -> incoming plaintext read error
      Wed Feb 09 11:44:45 2011 TLS Error: TLS handshake failed
      Wed Feb 09 11:44:45 2011 Fatal TLS error (check_tls_errors_co), restarting
      Wed Feb 09 11:44:45 2011 SIGUSR1[soft,tls-error] received, process restarting

      What is the problem with the server certificate verification?

      Thanks

      1 Reply Last reply Reply Quote 0
      • Cry HavokC
        Cry Havok
        last edited by

        It failed ;)

        Did you install the CA certificate on the clients? Did you ensure that the config file contains a line about it?

        1 Reply Last reply Reply Quote 0
        • F
          freetomfr
          last edited by

          Here is the list of files that are in my config directory :

          pfsense-TCP-443.ovpn
          pfsense-TCP-443.p12
          pfsense-TCP-443-ca.crt
          pfsense-TCP-443-tls.key

          And that is my config files

          dev tun
          persist-tun
          persist-key
          proto tcp-client
          cipher AES-128-CBC
          tls-client
          client
          resolv-retry infinite
          remote 82.XX.XX.XX 443
          pkcs12 pfsense-TCP-443.p12
          comp-lzo
          
          1 Reply Last reply Reply Quote 0
          • Cry HavokC
            Cry Havok
            last edited by

            There should also be lines there about the CA certificate and the TLS key. Something like:

            ca pfsense-TCP-443-ca.crt
            tls-auth pfsense-TCP-443-tls.key 1

            I can highly recommend reading the documentation.

            1 Reply Last reply Reply Quote 0
            • F
              freetomfr
              last edited by

              Thanks for your answer. I read a lot of time the documentation but there is a lot of parameter and when I tried the one recommended nothing work anymore.

              I tried this parameter that I found in the documentation to verify the server Certificat:

              remote-cert-tls server

              But I have a SSL error with it.

              Fri Feb 11 10:41:47 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
              Fri Feb 11 10:41:47 2011 TLS Error: TLS object -> incoming plaintext read error
              Fri Feb 11 10:41:47 2011 TLS Error: TLS handshake failed
              Fri Feb 11 10:41:47 2011 Fatal TLS error (check_tls_errors_co), restarting
              Fri Feb 11 10:41:47 2011 SIGUSR1[soft,tls-error] received, process restarting
              
              1 Reply Last reply Reply Quote 0
              • Cry HavokC
                Cry Havok
                last edited by

                @Cry:

                There should also be lines there about the CA certificate and the TLS key. Something like:

                ca pfsense-TCP-443-ca.crt
                tls-auth pfsense-TCP-443-tls.key 1

                Have you added those lines to your client configuration file and restart the client yet? Until you do at least the first you will continue to see those errors. The second is required if you've configured the server to use TLS.

                1 Reply Last reply Reply Quote 0
                • S
                  spiritbreaker
                  last edited by

                  EDIT:

                  removed

                  cya

                  Pfsense running at 11 Locations
                  -mobile OPENVPN and IPSEC
                  -multiwan failover
                  -filtering proxy(squidguard) in bridgemode with ntop monitoring

                  1 Reply Last reply Reply Quote 0
                  • Cry HavokC
                    Cry Havok
                    last edited by

                    @spiritbreaker, your error messages is not the same as the one being discussed in this thread, please don't confuse matters.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.