Pfsense 2.3: TLS handshake failed/ Failed running command (–tls-verify script)
-
That looks very similar to what I have encountered a while ago, see: https://forum.pfsense.org/index.php?topic=97572.msg543520
My issue was caused by a space in the certificate's CN. Any chance yours has one too? If not, I would anyway give it a try with recreating the server cert…
-
Hi bennyc, thank you for the suggestion! I tried deleting and then recreating all the certs (CA, server, user) without any spaces or other punctuation marks but with the same errors unfortunately. I haven't been able to do any further testing since I posted because of work but will continue trying.
-
So how is thing going?. I have installed Pfsense 2.2.6 and openvpn doesn't work, I cannot connect my clients. The error is
Fri Apr 15 16:27:55 2016 us=478668 ACK mark active incoming ID 24 Fri Apr 15 16:27:55 2016 us=478686 ACK acknowledge ID 24 (ack->len=1) Fri Apr 15 16:27:55 2016 us=478707 BIO write tls_write_ciphertext 100 bytes Fri Apr 15 16:27:55 2016 us=479154 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=CA, ST=bogota, L=bogota, O=mdc, emailAddress=info@mdc.com.co, CN=internal-ca Fri Apr 15 16:27:55 2016 us=479201 SSL alert (write): fatal: bad certificate Fri Apr 15 16:27:55 2016 us=479300 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Fri Apr 15 16:27:55 2016 us=479334 TLS Error: TLS object -> incoming plaintext read error Fri Apr 15 16:27:55 2016 us=479369 TLS Error: TLS handshake failed Fri Apr 15 16:27:55 2016 us=479411 PID packet_id_free Fri Apr 15 16:27:55 2016 us=479448 SSL alert (write): warning: close notify
I do not have firewall problems or anything, I repeated the process a lot and I am stuck at it. Please help
-
FYI I just reinstalled 2.3 and now it works as expected and as on 2.2.6. Something must have failed during the upgrade. Thank you for your help.
-
Some necromancy seems to have brought this back from the depths of hell and is now pulling at my leg…
Have a fresh pfSense install (2.4.2-RELEASE-p1 (amd64)) and I am encountering an issue with a self-signed setup. Here is what I'm seeing:
1 - Created my own CA, created a CRL for said CA, created a server certificate issued by said CA, created a user certificate issued by said CA when creating my user.
2 - Configured an OpenVPN server and set it to "Remote Access ( SSL/TLS + User Auth )", used said CA, CRL and server certificate.
3 - Used 'OpenVPN Client Export' and grabbed the Archive for said user.
4 - When connecting the VPN and after providing username and password, on pfSense I see:WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failedOn the client side, I see timeouts and the VPN fails to establish.
After hours of fighting with this issue I found this thread; I noted that my "Certificate Depth" was set to 'One (Client + Server)' and I was getting the above errors. I then changed "Certificate Depth" to "Do not check" and my issue went away.
On older pfSense installations, I never had any problems with "Certificate Depth" set to "One (Client + Server)" so I assume this is some kind of a regression?
Can anyone suggest how to keep "Certificate Detph" at "One (Client + Server)" and not have --tls-verify script fail?
Best regards
V -
I have always run one for depth (client+server) and never had such issues. I double checked my setting and yup running client+server with no connection issues. Running 2.4.2_p1
-
Is your installation fresh or a setup that was carried over?
Best regards,
V -
Well its fresh on my sg4860.. Upgrade to p1 from 2.4.2.. might of come with 2.4.0 that updated to 2.4.2 and then to p1.. Only had it a couple of weeks.
-
Experiencing this issue now on 3 VMs …
Quick glance at the forum says I'm not alone.Was anyone able to work this out?
Best regards
V -
I had this same problem. I tried a bunch of the solutions found from googling and such.
In my case, my NIC was bad. I swapped in a new NIC and the connection came up.
pfsense version didn't matter, client OS didn't matter. NIC card fail.
6 hrs troubleshooting argh