Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] vpn client failing to validate server certificate

    OpenVPN
    4
    8
    14.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      digininja
      last edited by

      I had a perfectly working setup with pfSense acting as an OpenVPN client to my VPN server then my intermediate certificate expired and I've had to reissue certificates. With the new certificates in place I'm now getting this error:

      Mar 24 19:48:15 firewall openvpn[96070]: VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=GB, ST=The Internet, O=Digininja, CN=Digininja Int CA, emailAddress=a@b.com
      Mar 24 19:48:15 firewall openvpn[96070]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
      Mar 24 19:48:15 firewall openvpn[96070]: TLS Error: TLS object -> incoming plaintext read error
      Mar 24 19:48:15 firewall openvpn[96070]: TLS Error: TLS handshake failed
      Mar 24 19:48:15 firewall openvpn[96070]: SIGUSR1[soft,tls-error] received, process restarting
      Mar 24 19:48:17 firewall openvpn[96070]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
      Mar 24 19:48:17 firewall openvpn[96070]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
      Mar 24 19:48:17 firewall openvpn[96070]: UDPv4 link local (bound): [AF_INET]1.2.3.4
      Mar 24 19:48:17 firewall openvpn[96070]: UDPv4 link remote: [AF_INET]2.3.4.5:1194
      
      

      Which I think means that OpenVPN is rejecting the server side certificate because it doesn't trust it. I'm imported both the CA and the intermediate CA certs into the certificate manager and they are recognised as the CA is showing one associated certificate (the intermediate) and the intermediate showing two certs (my HTTPS cert and the VPN1). All I did when changing the certificates was to upload the new one and change the one the VPN config was using, I didn't make any other changes.

      Reading the config file from /var/etc/openvpn I copied the certificate and key files it references to a Linux box and tried OpenVPN from there with those files, it fails as well. The file client1.ca which I copy across contains a copy of my intermediate cert, if I merge into that my CA cert then the OpenVPN starts fine on the Linux box so I think what I need to do is to tell OpenVPN on pfSense to use a chained ca file rather than just the intermediate file.

      All that is a long winded way of saying I've probably made a stupid mistake somewhere when I changed the certificates but I can't work out what I've done. I know the certificates are OK as ones generated purely for use on the Linux box work fine and the ones for pfSense work fine with the chained ca file. Please, put me out of my half day misery and tell me what I'm likely to have done wrong so I can fix it and get back to everything working.

      1 Reply Last reply Reply Quote 1
      • T
        thomasr
        last edited by

        maybe you have hit this bug

        1 Reply Last reply Reply Quote 0
        • D
          digininja
          last edited by

          It sounds similar but in my situation pfSense is the client side not the server side.

          I've tried putting the chained certificate in client1.ca and restarting the service but that didn't help.

          1 Reply Last reply Reply Quote 0
          • D
            divsys
            last edited by

            Simple suggestion but, have you tried rebooting both ends of the conx?

            I've run into issues in the past where I was fiddling with certificates, try to get a setup to work, and a restart of the OpenVPN service didn't load my changes.
            I turned up the log verbosity and started tracking run Pid's till I saw the issue. Caused me no end of heartbreak until I rebooted the server and it all came up.

            Might be worth a try….

            -jfp

            1 Reply Last reply Reply Quote 0
            • D
              digininja
              last edited by

              I've been rebooting on and off but not between every config change. I've made sure that the service has been stopped and restarted after each change.

              1 Reply Last reply Reply Quote 0
              • D
                digininja
                last edited by

                I finally got it working by manually editing the client1.conf file and slowly moving entries from the working Linux config file to the broken pfSense one. I also made sure both CA and intermediate certs were in client1.ca. To test things I removed the daemon line from the config so that I could start openvpn from the command line and watch the output rather than have to keep going through the GUI.

                I'm sure this is a bad way to do it and I now daren't touch the OpenVPN section of the web interface but I'm up and running again and as I put two years on the intermediate CA I should be fine for a while.

                Just in case it can help anyone else, here is the config file I ended up with:

                
                dev ovpnc1
                verb 1
                dev-type tun
                tun-ipv6
                dev-node /dev/tun1
                writepid /var/run/openvpn_client1.pid
                #user nobody
                #group nobody
                script-security 3
                keepalive 10 60
                ping-timer-rem
                persist-tun
                persist-key
                proto udp
                up /usr/local/sbin/ovpn-linkup
                down /usr/local/sbin/ovpn-linkdown
                local 10.1.2.3
                tls-client
                client
                lport 0
                management /var/etc/openvpn/client1.sock unix
                remote vpn1.xxx 1194
                ca /var/etc/openvpn/client1.ca 
                cert /var/etc/openvpn/client1.cert 
                key /var/etc/openvpn/client1.key 
                resolv-retry infinite
                ns-cert-type server
                comp-lzo
                
                
                1 Reply Last reply Reply Quote 1
                • C
                  cmb
                  last edited by

                  That's going to be blown away at some point, you can't manually edit any configs. Make sure your chain is in there for the configured CA cert and you'll be fine.

                  1 Reply Last reply Reply Quote 0
                  • D
                    digininja
                    last edited by

                    I understand that it will get blown away and that manually editing it was the wrong thing to do but I was missing something in the GUI that meant I couldn't get it to work. This, and software upgrades are the only changes I've made in the last year and as I've now got a copy of the working files, after the next upgrade, if things do break, I can put them back.

                    I tried putting a chained cert in the CA cert and it didn't work, does the order of the certificates in the file matter? It may also be that the restart didn't work correctly or it needed a reboot after the change to make things work.

                    I'm not blaming pfSense here, I'm sure it was probably something I messed up in replacing the certificate. If I get chance I'll try again with a chained cert as the CA and update with the results.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.