Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Openvpn TLS Error

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 4 Posters 11.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      peacemaker76
      last edited by

      Hi all,

      I'm getting this error on server-side on an pfsense-system (2.2.6-release):

      
      Feb 9 17:25:15 	openvpn[56632]: 91.141.3.170:3568 SIGUSR1[soft,tls-error] received, client-instance restarting
      Feb 9 17:25:15 	openvpn[56632]: 91.141.3.170:3568 TLS Error: TLS handshake failed
      Feb 9 17:25:15 	openvpn[56632]: 91.141.3.170:3568 TLS Error: TLS object -> incoming plaintext read error
      Feb 9 17:25:15 	openvpn[56632]: 91.141.3.170:3568 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
      Feb 9 17:25:15 	openvpn[56632]: 91.141.3.170:3568 VERIFY SCRIPT ERROR: depth=1, C=AT, ST=Kaernten, L=Klagenfurt, O=wuapaa, emailAddress=technik@wuapaa.com, CN=VPN Wuapaa
      Feb 9 17:25:15 	openvpn[56632]: 91.141.3.170:3568 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
      Feb 9 17:25:15 	openvpn: Found certificate with depth 1
      Feb 9 17:25:15 	openvpn[56632]: 91.141.3.170:3568 UDPv4 READ [1148] from [AF_INET]91.141.3.170:3568: P_CONTROL_V1 kid=0 pid=[ #45 ] [ ] pid=4 DATA len=1094
      
      

      I already set the Certificate Depth in Server-Configuration to "Two" as mentioned somewhere in the forum, but that didn't solve the problem. Also, if I disable the Client-Check the vpn-tunnel is established.

      Certificates were generated by the wizard, so I don't think the problem lies here.

      Does anybody have a hint on this? For me it looks like the verification-script isn't properly working, maybe some file-permission or encoding issues ?

      1 Reply Last reply Reply Quote 0
      • V
        viragomann
        last edited by

        Hi,

        don't use spaces or special characters in CN (VPN Wuapaa).

        Best solution will be to change the user name and assign a new cert.

        1 Reply Last reply Reply Quote 0
        • P
          peacemaker76
          last edited by

          Hi,

          changed both CA Name and username, problem still occurs.

          With Cert-check:

          
          Feb 9 22:47:40 	openvpn[38333]: 178.190.212.71:43465 SIGUSR1[soft,tls-error] received, client-instance restarting
          Feb 9 22:47:40 	openvpn[38333]: 178.190.212.71:43465 TLS Error: TLS handshake failed
          Feb 9 22:47:40 	openvpn[38333]: 178.190.212.71:43465 TLS Error: TLS object -> incoming plaintext read error
          Feb 9 22:47:40 	openvpn[38333]: 178.190.212.71:43465 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
          Feb 9 22:47:40 	openvpn[38333]: 178.190.212.71:43465 VERIFY SCRIPT ERROR: depth=1, C=AT, ST=Kaernten, L=Klagenfurt, O=wuapaa, emailAddress=technik@wuapaa.com, CN=VPNWuapaa
          Feb 9 22:47:40 	openvpn[38333]: 178.190.212.71:43465 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
          
          

          Without Check:

          
          Feb 9 22:51:43 	openvpn[43025]: 178.190.212.71:39903 UDPv4 WRITE [166] to [AF_INET]178.190.212.71:39903: P_CONTROL_V1 kid=0 pid=[ #45 ] [ 5 ] pid=42 DATA len=100
          Feb 9 22:51:43 	openvpn[43025]: 178.190.212.71:39903 TLS Auth Error: Auth Username/Password verification failed for peer
          Feb 9 22:51:43 	openvpn[43025]: 178.190.212.71:39903 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1
          Feb 9 22:51:43 	openvpn[43025]: 178.190.212.71:39903 UDPv4 READ [538] from [AF_INET]178.190.212.71:39903: P_CONTROL_V1 kid=0 pid=[ #46 ] [ 41 ] pid=5 DATA len=472
          Feb 9 22:51:43 	openvpn[43025]: 178.190.212.71:39903 UDPv4 WRITE [117] to [AF_INET]178.190.212.71:39903: P_CONTROL_V1 kid=0 pid=[ #44 ] [ 4 ] pid=41 DATA len=51
          Feb 9 22:51:43 	openvpn[43025]: 178.190.212.71:39903 VERIFY OK: depth=0, C=AT, ST=Kaernten, L=Klagenfurt, O=wuapaa, emailAddress=technik@wuapaa.com, CN=awilm
          Feb 9 22:51:43 	openvpn[43025]: 178.190.212.71:39903 VERIFY OK: depth=1, C=AT, ST=Kaernten, L=Klagenfurt, O=wuapaa, emailAddress=technik@wuapaa.com, CN=VPNWuapaa
          Feb 9 22:51:43 	openvpn[43025]: 178.190.212.71:39903 UDPv4 READ [782] from [AF_INET]178.190.212.71:39903: P_CONTROL_V1 kid=0 pid=[ #45 ] [ ] pid=4 DATA len=728
          
          

          (The error in user-authentication is another error, but imho not related to the problem)

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            Shouldn't be an issue to have a space in the CN, unless you're doing strict CN matching (where the username couldn't contain a space).

            Judging by those logs, it seems like your OpenVPN server is using a different CA than your clients, or there is some other issue with your certificates along those lines.

            1 Reply Last reply Reply Quote 0
            • P
              peacemaker76
              last edited by

              I checked the config for the server, the correct CA is selected.  The Certs under /var/etc/openvpn/ are looking good (imho):

              with openssl x509 -in server1.ca -text -noout:

              Certificate:
                  Data:
                      Version: 3 (0x2)
                      Serial Number: 0 (0x0)
                  Signature Algorithm: sha256WithRSAEncryption
                      Issuer: C=AT, ST=Kaernten, L=Klagenfurt, O=wuapaa/emailAddress=technik@wuapaa.com, CN=VPNWuapaa
                      Validity
                          Not Before: Feb  9 21:14:18 2016 GMT
                          Not After : Feb  6 21:14:18 2026 GMT
                      Subject: C=AT, ST=Kaernten, L=Klagenfurt, O=wuapaa/emailAddress=technik@wuapaa.com, CN=VPNWuapaa
                      Subject Public Key Info:
                          Public Key Algorithm: rsaEncryption
                              Public-Key: (2048 bit)
                              Modulus:
                                  00:cb:cd:73:ba:de:4a:ef:79:db:b4:25:1c:de:1a:
                                  e4:d1:e7:8a:d1:8e:ff:28:ec:2e:f3:16:c0:b8:15:
                                  71:02:df:3f:02:62:d0:d4:1c:e3:47:67:f2:91:e1:
                                  cf:1c:31:a0:c4:15:ad:f3:dc:35:7f:50:d0:2b:30:
                                  f4:63:ac:2a:37:a5:72:bc:1e:24:7e:6c:62:e2:f8:
                                  45:2f:d7:fa:cf:bf:5c:97:73:98:be:14:8e:a4:df:
                                  5d:d0:d4:03:52:35:67:d2:f5:58:f9:c3:a8:82:97:
                                  03:6d:f6:5d:a8:67:c1:e2:87:fd:aa:78:4b:1b:0b:
                                  12:70:b3:e2:21:95:8a:bb:68:ca:dc:0a:6a:89:79:
                                  be:83:b5:f7:1c:25:75:0d:d7:28:5d:0d:34:22:46:
                                  1f:f2:37:a3:4e:a6:0e:d9:54:ff:5a:fb:c0:ab:a3:
                                  35:d0:7e:a4:4e:3a:aa:ba:66:6c:1c:90:f9:42:56:
                                  2e:79:c6:b9:45:6e:37:11:6c:6d:e7:73:b6:8b:2b:
                                  5d:28:7e:d1:49:d5:57:cc:b5:06:cc:cc:b0:c2:46:
                                  3c:52:b0:06:9c:fa:21:77:84:f5:04:18:9c:4e:f9:
                                  89:6a:59:4c:f4:6d:a4:c0:8e:3a:c3:43:07:44:ff:
                                  26:49:5e:13:d7:56:4c:70:e7:45:29:a7:25:b0:3c:
                                  cb:9d
                              Exponent: 65537 (0x10001)
                      X509v3 extensions:
                          X509v3 Subject Key Identifier:
                              F2:EC:2B:FF:E4:C3:38:2F:76:D5:45:4A:A3:59:1D:A5:49:77:1D:FA
                          X509v3 Authority Key Identifier:
                              keyid:F2:EC:2B:FF:E4:C3:38:2F:76:D5:45:4A:A3:59:1D:A5:49:77:1D:FA
                              DirName:/C=AT/ST=Kaernten/L=Klagenfurt/O=wuapaa/emailAddress=technik@wuapaa.com/CN=VPNWuapaa
                              serial:00
              
                          X509v3 Basic Constraints:
                              CA:TRUE
                          X509v3 Key Usage:
                              Certificate Sign, CRL Sign
                  Signature Algorithm: sha256WithRSAEncryption
                       7a:03:5a:5d:be:eb:de:55:e7:4f:65:be:79:b3:b8:49:f3:92:
                       57:8a:12:9a:f2:68:34:cf:4a:4f:66:2f:3e:b9:03:b3:e2:8d:
                       0f:9c:98:29:f0:e1:9a:7d:bc:8b:6e:b4:b3:ec:47:c8:a0:10:
                       0a:a4:4d:ff:42:2a:54:27:38:90:34:5a:f8:b7:5e:a0:0c:28:
                       0b:08:99:0d:f0:76:9e:64:f1:28:94:8d:2d:b1:7f:d4:14:83:
                       2c:d1:10:b6:22:b4:6b:73:4c:5a:e5:b2:cf:ca:1d:2e:61:b7:
                       0d:f1:2f:c3:89:4b:71:f7:13:1c:bf:7f:6a:2d:41:36:5c:2e:
                       78:e4:8b:55:2f:f6:70:a0:22:3a:11:84:6f:f8:25:28:81:5f:
                       a6:86:2a:04:7b:6a:0e:5a:b4:ea:90:39:4e:f7:fb:8f:00:9b:
                       86:a2:02:26:f3:04:9a:2f:ba:68:c3:32:aa:cb:f0:6e:1b:e3:
                       8b:a0:75:5e:00:da:36:b3:22:f5:68:4f:6d:a1:de:3c:2b:2c:
                       e0:6b:1d:5f:3d:cd:d5:38:b2:11:20:54:73:69:95:8d:5f:9a:
                       2e:8b:a6:be:30:e5:e4:a5:c1:c4:e6:70:2c:51:b5:37:ad:51:
                       e0:e6:22:b8:78:78:1c:11:ee:b4:7a:19:48:44:93:0c:1e:82:
                       d4:51:30:8a
              
              

              and openssl x509 -in server1.cert -text -noout:

              Certificate:
                  Data:
                      Version: 3 (0x2)
                      Serial Number: 1 (0x1)
                  Signature Algorithm: sha256WithRSAEncryption
                      Issuer: C=AT, ST=Kaernten, L=Klagenfurt, O=wuapaa/emailAddress=technik@wuapaa.com, CN=VPNWuapaa
                      Validity
                          Not Before: Feb  9 21:14:20 2016 GMT
                          Not After : Feb  6 21:14:20 2026 GMT
                      Subject: C=AT, ST=Kaernten, L=Klagenfurt, O=wuapaa/emailAddress=technik@wuapaa.com, CN=VPNpfsense
                      Subject Public Key Info:
                          Public Key Algorithm: rsaEncryption
                              Public-Key: (4096 bit)
                              Modulus:
                                  00:9c:05:12:c7:a8:d2:1b:01:46:59:e0:aa:24:03:
                                  6d:d5:59:c5:db:4f:39:2a:21:7c:68:34:dc:ed:ec:
                                  e4:d5:90:a9:0b:d0:ab:ee:83:02:f7:64:b5:c9:eb:
                                  21:12:60:7d:87:ab:4b:33:72:5f:b1:08:3c:92:32:
                                  07:68:45:b5:42:17:42:76:94:8d:12:2c:ca:63:9e:
                                  60:0a:c3:a3:20:99:43:c3:2a:51:1f:5a:be:89:15:
                                  c6:4e:76:b3:7f:c9:12:1d:58:22:0e:b8:d4:04:12:
                                  cc:b4:5b:4f:e5:d2:ac:a0:1a:0a:78:d5:a5:43:96:
                                  ba:76:d5:2e:ef:7d:2b:df:41:ee:40:a8:a2:19:41:
                                  8c:51:c0:a4:f1:cc:3e:d4:25:68:86:9d:0d:e3:2c:
                                  09:5f:0f:02:7d:33:b0:44:33:da:03:98:be:ae:36:
                                  18:f3:1a:e1:80:b4:51:bd:fa:5a:e3:98:45:48:a7:
                                  90:90:81:12:96:fc:ae:ba:8b:e3:97:af:70:0b:b6:
                                  f9:14:e6:26:fb:3c:bc:8b:fe:b2:ee:6d:fc:73:2b:
                                  0f:23:d1:7c:fe:ca:ef:db:18:1f:71:42:3f:e0:a3:
                                  c2:69:68:0f:b1:eb:e8:74:3b:92:4e:8a:58:87:0f:
                                  aa:c2:c4:46:b0:21:4f:9c:81:c9:49:d6:69:5d:0d:
                                  de:62:1e:1d:14:7c:ae:94:3f:2f:47:da:3c:8b:a3:
                                  29:a9:26:51:60:7f:0e:d6:e7:d9:a0:ab:b9:cc:ed:
                                  86:a8:e2:c9:ae:13:6c:46:ee:5e:8f:81:4e:87:6a:
                                  8a:f6:2e:54:dc:2d:a2:96:38:11:eb:c2:c1:e1:b8:
                                  f5:82:cc:06:89:71:fe:d0:7c:9d:fd:a3:60:18:36:
                                  8e:c5:23:92:c9:91:3d:81:f9:08:bb:86:7c:1a:d0:
                                  c5:7d:60:31:29:66:6d:73:6a:c6:e9:16:18:e7:3b:
                                  d9:fc:3e:d1:bf:af:04:cc:f0:1b:ae:12:9c:5d:24:
                                  cf:bf:e3:1f:71:aa:47:f2:e9:cb:59:c7:0c:31:dd:
                                  14:3a:5b:d5:cd:31:7e:0f:e7:10:46:83:87:4d:b2:
                                  ac:8a:86:71:2a:59:c5:d6:43:ea:9d:a9:20:ac:b7:
                                  7a:ba:44:c4:78:16:08:52:48:f6:8d:2c:ee:3d:74:
                                  68:d6:80:7b:2a:42:55:4d:6c:30:22:d1:15:71:9e:
                                  81:90:ee:8d:b1:1e:01:60:a7:2f:54:f9:4f:f6:03:
                                  32:0a:b1:20:59:45:0c:c7:a8:cf:47:e2:6d:67:d6:
                                  50:12:4b:bb:96:cb:65:fd:e2:1c:05:1f:36:84:06:
                                  b9:c6:16:40:2c:b9:bf:f3:2c:11:f7:4b:10:65:cd:
                                  f8:d3:cf
                              Exponent: 65537 (0x10001)
                      X509v3 extensions:
                          X509v3 Basic Constraints:
                              CA:FALSE
                          Netscape Cert Type:
                              SSL Server
                          Netscape Comment:
                              OpenSSL Generated Server Certificate
                          X509v3 Subject Key Identifier:
                              45:31:F5:B6:8D:78:83:7E:6B:BF:D5:89:C8:6F:4D:B6:54:D7:30:61
                          X509v3 Authority Key Identifier:
                              keyid:F2:EC:2B:FF:E4:C3:38:2F:76:D5:45:4A:A3:59:1D:A5:49:77:1D:FA
                              DirName:/C=AT/ST=Kaernten/L=Klagenfurt/O=wuapaa/emailAddress=technik@wuapaa.com/CN=VPNWuapaa
                              serial:00
              
                          X509v3 Extended Key Usage:
                              TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2
                          X509v3 Key Usage:
                              Digital Signature, Key Encipherment
                  Signature Algorithm: sha256WithRSAEncryption
                       58:c4:e5:5d:a9:a6:14:98:1b:49:41:7c:81:58:22:03:62:f1:
                       f7:f3:b1:59:ac:cf:0e:86:26:b3:d8:83:5c:82:28:92:d7:2c:
                       65:c6:b4:39:bd:5f:3e:6d:f5:eb:a8:7b:64:6d:02:90:32:ee:
                       39:26:94:7e:cf:ce:98:13:72:c0:9b:14:f6:01:73:a5:82:86:
                       c8:25:d2:26:49:4f:29:17:2d:d3:41:30:9e:95:11:6c:b3:0d:
                       33:07:2a:00:4d:b6:9f:2b:aa:3f:0a:44:5c:8b:50:1e:33:6b:
                       cf:88:d8:e1:a4:9e:1b:eb:89:e3:52:2a:be:aa:e3:42:b4:82:
                       4c:bd:11:f2:28:4e:08:bf:34:e5:67:3a:80:6b:65:ca:64:3d:
                       7a:89:74:0e:11:b2:5d:3f:d9:24:aa:1b:7b:77:22:b4:ba:31:
                       a9:11:60:b2:78:7e:bc:c7:d1:22:93:46:b6:f9:22:50:af:16:
                       f7:13:ee:43:4e:33:12:91:3b:35:91:00:91:fe:bc:d0:5f:f7:
                       84:01:73:ea:73:1e:f1:ac:d3:72:82:73:4f:f7:61:3e:7a:19:
                       3e:be:64:7a:ad:7b:55:4d:75:b3:45:ad:67:45:80:51:80:8d:
                       f0:b6:87:cd:57:fa:1f:4d:71:c7:5b:ac:97:dc:f9:11:86:15:
                       02:ec:bd:27
              
              

              Are the user-certs saved anywhere on the pfsense-box?

              1 Reply Last reply Reply Quote 0
              • D
                divsys
                last edited by

                Are the user-certs saved anywhere on the pfsense-box?

                Can't answer for sure (I think they reside in config.xml), but I usually resort to using "System->Cert Manager->Certificates" and just download the certificate I want to check.

                -jfp

                1 Reply Last reply Reply Quote 0
                • P
                  peacemaker76
                  last edited by

                  Just for the records: after rebooting the box the VPN works now.

                  Thanks all for their help!

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.