• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[SOLVED] vpn client failing to validate server certificate

OpenVPN
4
8
14.8k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • D
    digininja
    last edited by Mar 24, 2016, 11:51 PM Mar 24, 2016, 8:06 PM

    I had a perfectly working setup with pfSense acting as an OpenVPN client to my VPN server then my intermediate certificate expired and I've had to reissue certificates. With the new certificates in place I'm now getting this error:

    Mar 24 19:48:15 firewall openvpn[96070]: VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=GB, ST=The Internet, O=Digininja, CN=Digininja Int CA, emailAddress=a@b.com
    Mar 24 19:48:15 firewall openvpn[96070]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Mar 24 19:48:15 firewall openvpn[96070]: TLS Error: TLS object -> incoming plaintext read error
    Mar 24 19:48:15 firewall openvpn[96070]: TLS Error: TLS handshake failed
    Mar 24 19:48:15 firewall openvpn[96070]: SIGUSR1[soft,tls-error] received, process restarting
    Mar 24 19:48:17 firewall openvpn[96070]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
    Mar 24 19:48:17 firewall openvpn[96070]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
    Mar 24 19:48:17 firewall openvpn[96070]: UDPv4 link local (bound): [AF_INET]1.2.3.4
    Mar 24 19:48:17 firewall openvpn[96070]: UDPv4 link remote: [AF_INET]2.3.4.5:1194
    
    

    Which I think means that OpenVPN is rejecting the server side certificate because it doesn't trust it. I'm imported both the CA and the intermediate CA certs into the certificate manager and they are recognised as the CA is showing one associated certificate (the intermediate) and the intermediate showing two certs (my HTTPS cert and the VPN1). All I did when changing the certificates was to upload the new one and change the one the VPN config was using, I didn't make any other changes.

    Reading the config file from /var/etc/openvpn I copied the certificate and key files it references to a Linux box and tried OpenVPN from there with those files, it fails as well. The file client1.ca which I copy across contains a copy of my intermediate cert, if I merge into that my CA cert then the OpenVPN starts fine on the Linux box so I think what I need to do is to tell OpenVPN on pfSense to use a chained ca file rather than just the intermediate file.

    All that is a long winded way of saying I've probably made a stupid mistake somewhere when I changed the certificates but I can't work out what I've done. I know the certificates are OK as ones generated purely for use on the Linux box work fine and the ones for pfSense work fine with the chained ca file. Please, put me out of my half day misery and tell me what I'm likely to have done wrong so I can fix it and get back to everything working.

    1 Reply Last reply Reply Quote 1
    • T
      thomasr
      last edited by Mar 24, 2016, 8:44 PM

      maybe you have hit this bug

      1 Reply Last reply Reply Quote 0
      • D
        digininja
        last edited by Mar 24, 2016, 10:28 PM

        It sounds similar but in my situation pfSense is the client side not the server side.

        I've tried putting the chained certificate in client1.ca and restarting the service but that didn't help.

        1 Reply Last reply Reply Quote 0
        • D
          divsys
          last edited by Mar 24, 2016, 10:37 PM

          Simple suggestion but, have you tried rebooting both ends of the conx?

          I've run into issues in the past where I was fiddling with certificates, try to get a setup to work, and a restart of the OpenVPN service didn't load my changes.
          I turned up the log verbosity and started tracking run Pid's till I saw the issue. Caused me no end of heartbreak until I rebooted the server and it all came up.

          Might be worth a try….

          -jfp

          1 Reply Last reply Reply Quote 0
          • D
            digininja
            last edited by Mar 24, 2016, 11:21 PM

            I've been rebooting on and off but not between every config change. I've made sure that the service has been stopped and restarted after each change.

            1 Reply Last reply Reply Quote 0
            • D
              digininja
              last edited by Mar 24, 2016, 11:51 PM

              I finally got it working by manually editing the client1.conf file and slowly moving entries from the working Linux config file to the broken pfSense one. I also made sure both CA and intermediate certs were in client1.ca. To test things I removed the daemon line from the config so that I could start openvpn from the command line and watch the output rather than have to keep going through the GUI.

              I'm sure this is a bad way to do it and I now daren't touch the OpenVPN section of the web interface but I'm up and running again and as I put two years on the intermediate CA I should be fine for a while.

              Just in case it can help anyone else, here is the config file I ended up with:

              
              dev ovpnc1
              verb 1
              dev-type tun
              tun-ipv6
              dev-node /dev/tun1
              writepid /var/run/openvpn_client1.pid
              #user nobody
              #group nobody
              script-security 3
              keepalive 10 60
              ping-timer-rem
              persist-tun
              persist-key
              proto udp
              up /usr/local/sbin/ovpn-linkup
              down /usr/local/sbin/ovpn-linkdown
              local 10.1.2.3
              tls-client
              client
              lport 0
              management /var/etc/openvpn/client1.sock unix
              remote vpn1.xxx 1194
              ca /var/etc/openvpn/client1.ca 
              cert /var/etc/openvpn/client1.cert 
              key /var/etc/openvpn/client1.key 
              resolv-retry infinite
              ns-cert-type server
              comp-lzo
              
              
              1 Reply Last reply Reply Quote 1
              • C
                cmb
                last edited by Mar 25, 2016, 12:03 AM

                That's going to be blown away at some point, you can't manually edit any configs. Make sure your chain is in there for the configured CA cert and you'll be fine.

                1 Reply Last reply Reply Quote 0
                • D
                  digininja
                  last edited by Mar 25, 2016, 10:28 AM

                  I understand that it will get blown away and that manually editing it was the wrong thing to do but I was missing something in the GUI that meant I couldn't get it to work. This, and software upgrades are the only changes I've made in the last year and as I've now got a copy of the working files, after the next upgrade, if things do break, I can put them back.

                  I tried putting a chained cert in the CA cert and it didn't work, does the order of the certificates in the file matter? It may also be that the restart didn't work correctly or it needed a reboot after the change to make things work.

                  I'm not blaming pfSense here, I'm sure it was probably something I messed up in replacing the certificate. If I get chance I'll try again with a chained cert as the CA and update with the results.

                  1 Reply Last reply Reply Quote 0
                  4 out of 8
                  • First post
                    4/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.