Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense 2.3: TLS handshake failed/ Failed running command (–tls-verify script)

    Scheduled Pinned Locked Moved OpenVPN
    12 Posts 6 Posters 6.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B
      bennyc
      last edited by

      That looks very similar to what I have encountered a while ago, see: https://forum.pfsense.org/index.php?topic=97572.msg543520

      My issue was caused by a space in the certificate's CN. Any chance yours has one too? If not, I would anyway give it a try with recreating the server cert…

      4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
      1x PC Engines APU2C4, 1x PC Engines APU1C4

      1 Reply Last reply Reply Quote 0
      • P
        pfff
        last edited by

        Hi bennyc, thank you for the suggestion! I tried deleting and then recreating all the certs (CA, server, user) without any spaces or other punctuation marks but with the same errors unfortunately. I haven't been able to do any further testing since I posted because of work but will continue trying.

        1 Reply Last reply Reply Quote 0
        • E
          emel_punk
          last edited by

          So how is thing going?. I have installed Pfsense 2.2.6 and openvpn doesn't work, I cannot connect my clients. The error is

          
Fri Apr 15 16:27:55 2016 us=478668 ACK mark active incoming ID 24
Fri Apr 15 16:27:55 2016 us=478686 ACK acknowledge ID 24 (ack->len=1)
Fri Apr 15 16:27:55 2016 us=478707 BIO write tls_write_ciphertext 100 bytes
Fri Apr 15 16:27:55 2016 us=479154 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=CA, ST=bogota, L=bogota, O=mdc, emailAddress=info@mdc.com.co, CN=internal-ca
Fri Apr 15 16:27:55 2016 us=479201 SSL alert (write): fatal: bad certificate
Fri Apr 15 16:27:55 2016 us=479300 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Fri Apr 15 16:27:55 2016 us=479334 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 15 16:27:55 2016 us=479369 TLS Error: TLS handshake failed
Fri Apr 15 16:27:55 2016 us=479411 PID packet_id_free
Fri Apr 15 16:27:55 2016 us=479448 SSL alert (write): warning: close notify

          I do not have firewall problems or anything, I repeated the process a lot and I am stuck at it. Please help

          1 Reply Last reply Reply Quote 0
          • P
            pfff
            last edited by

            FYI I just reinstalled 2.3 and now it works as expected and as on 2.2.6. Something must have failed during the upgrade. Thank you for your help.

            1 Reply Last reply Reply Quote 0
            • V
              v0lZy
              last edited by

              Some necromancy seems to have brought this back from the depths of hell and is now pulling at my leg…

              Have a fresh pfSense install (2.4.2-RELEASE-p1 (amd64)) and I am encountering an issue with a self-signed setup. Here is what I'm seeing:

              1 - Created my own CA, created a CRL for said CA, created a server certificate issued by said CA, created a user certificate issued by said CA when creating my user.
              2 - Configured an OpenVPN server and set it to "Remote Access ( SSL/TLS + User Auth )", used said CA, CRL and server certificate.
              3 - Used 'OpenVPN Client Export' and grabbed the Archive for said user.
              4 - When connecting the VPN and after providing username and password, on pfSense I see:

              WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
                    OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
                    TLS_ERROR: BIO read tls_read_plaintext error
                    TLS Error: TLS object -> incoming plaintext read error
                    TLS Error: TLS handshake failed

              On the client side, I see timeouts and the VPN fails to establish.

              After hours of fighting with this issue I found this thread; I noted that my "Certificate Depth" was set to 'One (Client + Server)' and I was getting the above errors. I then changed "Certificate Depth" to "Do not check" and my issue went away.

              On older pfSense installations, I never had any problems with "Certificate Depth" set to "One (Client + Server)" so I assume this is some kind of a regression?

              Can anyone suggest how to keep "Certificate Detph" at "One (Client + Server)" and not have --tls-verify script fail?

              Best regards
              V

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                I have always run one for depth (client+server) and never had such issues.  I double checked my setting and yup running client+server with no connection issues.  Running 2.4.2_p1

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • V
                  v0lZy
                  last edited by

                  Is your installation fresh or a setup that was carried over?

                  Best regards,
                  V

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Well its fresh on my sg4860.. Upgrade to p1 from 2.4.2.. might of come with 2.4.0 that updated to 2.4.2 and then to p1.. Only had it a couple of weeks.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • V
                      v0lZy
                      last edited by

                      Experiencing this issue now on 3 VMs …
                      Quick glance at the forum says I'm not alone.

                      Was anyone able to work this out?
                      Best regards
                      V

                      1 Reply Last reply Reply Quote 0
                      • R
                        reswob10
                        last edited by

                        I had this same problem.  I tried a bunch of the solutions found from googling and such.

                        In my case, my NIC was bad. I swapped in a new NIC and the connection came up.

                        pfsense version didn't matter, client OS didn't matter.  NIC card fail.

                        6 hrs troubleshooting argh

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.