• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

unsupported certificate purpose

Scheduled Pinned Locked Moved OpenVPN
11 Posts 3 Posters 9.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E
    erres
    last edited by erres Jun 14, 2018, 8:44 AM Jun 14, 2018, 7:55 AM

    Im getting this error unsupported certificate purpose no matter what i do.

    If i create a Server Certificate for a user i see this error on the server side (/var/log/openvpn.log). If i create a User Certificate for the same user i get this error on the Client side. Both OpenVPN configs are made with the build-in wizard which apply the firewall rules.

    I have another pFSense (2.3.3-RELEASE) appliance which works perfectly with OpenVPN and was easy to setup.
    I reinstalled this pFSense and compared the OpenVPN setup with the other pFSense server, but still this error comes up.

    pFSense version: 2.4.3-RELEASE-p1
    OpenVPN version: 2.4.4

    Client Certificate config;

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote 149.210.XXX.XXX 4494 udp
    verify-x509-name "rbs_cert_client" name
    auth-user-pass
    pkcs12 rbsfw01-UDP4-4494.p12
    tls-auth rbsfw01-UDP4-4494-tls.key 1

    Client log;

    Thu Jun 14 08:58:27 2018 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=NL, ST=Noord-Holland, L=Haarlem, O=RBS, emailAddress=info@test.nl, CN=rbs_cert_client, OU=ICT
    Thu Jun 14 08:58:27 2018 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Thu Jun 14 08:58:27 2018 TLS_ERROR: BIO read tls_read_plaintext error
    Thu Jun 14 08:58:27 2018 TLS Error: TLS object -> incoming plaintext read error
    Thu Jun 14 08:58:27 2018 TLS Error: TLS handshake failed

    Server Certificate config;

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote 149.210.XXX.XXX 5594 udp
    verify-x509-name "rbs_cert_server" name
    auth-user-pass
    pkcs12 rbsfw01-UDP4-5594.p12
    tls-auth rbsfw01-UDP4-5594-tls.key 1
    remote-cert-tls server

    /var/log/openvpn.log

    Jun 13 21:34:39 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=NL, ST=Noord-Holland, L=Haarlem, O=RBS, emailAddress=info@test.nl, CN=CERT, subjectAltName=
    Jun 13 21:34:39 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    Jun 13 21:34:39 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS_ERROR: BIO read tls_read_plaintext error
    Jun 13 21:34:39 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS Error: TLS object -> incoming plaintext read error
    Jun 13 21:34:39 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS Error: TLS handshake failed
    Jun 13 21:36:14 rbsfw01 openvpn[15613]: 5.132.XXX.XXX34986 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=NL, ST=Noord-Holland, L=Haarlem, O=RBS, emailAddress=info@test.nl, CN=RBS CERT, subjectAltName=
    Jun 13 21:36:14 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    Jun 13 21:36:14 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS_ERROR: BIO read tls_read_plaintext error
    Jun 13 21:36:14 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS Error: TLS object -> incoming plaintext read error
    Jun 13 21:36:14 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS Error: TLS handshake failed
    Jun 13 21:36:44 rbsfw01 openvpn[43354]: 5.132.XXX.XXX:34986 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Jun 13 21:36:44 rbsfw01 openvpn[43354]: 5.132.XXX.XXX:34986 TLS Error: TLS handshake failed

    Any help is appreciated.

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Jun 14, 2018, 12:28 PM

      The server side must use a server certificate. The client side needs a user certificate. The client certificate can't be the same as the server certificate.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • E
        erres
        last edited by Jun 14, 2018, 1:25 PM

        I tried both.

        • Created a CA certificate
        • Created a USER certificate
        • Created a USER
        • Added USER Certificate to USER
        • Used OpenVPN Wizard to create openvpn files

        This gives me a error on the CLIENT side: VERIFY ERROR: depth=0, error=unsupported certificate purpose

        Removed all configs and certificates except CA

        • Created a SERVER certificate
        • Created a USER
        • Added SERVER Certificate to USER
        • Used OpenVPN Wizard to create openvpn files

        This gives me the same error but on the SERVER side: VERIFY ERROR: depth=0, error=unsupported certificate purpose

        Am i doing something wrong? I tried so much i dunno anymore.

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Jun 14, 2018, 1:31 PM

          You never said what you did on the server.

          You need to create a server certificate and then select it in the OpenVPN server settings.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • E
            erres
            last edited by Jun 14, 2018, 1:48 PM

            I used the server cert in the OpenVPN server setting;

            0_1528983961853_36b5ab07-4aef-47f2-b878-46dae3fb8ee2-image.png

            With this setting i get the unsupported certificate purpose on the server side (openvpn.log)

            1 Reply Last reply Reply Quote 0
            • J
              jimp Rebel Alliance Developer Netgate
              last edited by Jun 14, 2018, 1:49 PM

              The server side should be OK then, provided you also have a user (NON-server) certificate on the client at the time.

              If you try to use a server certificate on both it would fail, same as if you used a client certificate on the server. Both of those are unsupported purposes so it fails.

              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • E
                erres
                last edited by Jun 14, 2018, 3:12 PM

                Ah ok.. i understand now..

                I did the following now;

                Removed the Server Cert from the User and added a User Certificate.
                Then used openvpn wizard to create a new config. When im done the new config pops up in the server configs(?);

                0_1528988796725_6a5b530c-baed-4951-a636-236ec8303fb9-image.png

                When i download the files and put them in the OpenVPN config folder and connect i still get this on the client side;

                Thu Jun 14 17:09:12 2018 TLS Error: Unroutable control packet received from [AF_INET]149.210.180.XXX:10194 (si=3 op=P_CONTROL_V1)
                Thu Jun 14 17:09:12 2018 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=NL, ST=Noord-Holland, L=Haarlem, O=RBS, emailAddress=info@test, CN=rbs_client, OU=ICT
                Thu Jun 14 17:09:12 2018 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
                Thu Jun 14 17:09:12 2018 TLS_ERROR: BIO read tls_read_plaintext error
                Thu Jun 14 17:09:12 2018 TLS Error: TLS object -> incoming plaintext read error
                Thu Jun 14 17:09:12 2018 TLS Error: TLS handshake failed

                Maybe in version 2.3.3 everything worked different then in 2.4.4 or something because when i do exactly the same on the other pFSense box it works flawless...

                1 Reply Last reply Reply Quote 0
                • P
                  peter808
                  last edited by Oct 26, 2018, 9:54 AM

                  Same here with 2.44 (it also works with the same certs in 2.3x).

                  Any hints?

                  1 Reply Last reply Reply Quote 0
                  • J
                    jimp Rebel Alliance Developer Netgate
                    last edited by Oct 26, 2018, 12:17 PM

                    Make and use the correct certificates for their role.

                    Certificates for the server must be server certificates. Certificates for users must be user certificates.

                    If you see this error, the configuration was always wrong, but OpenVPN was less strict about enforcing proper usage in the past.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    P 1 Reply Last reply Oct 27, 2018, 10:24 AM Reply Quote 0
                    • P
                      peter808 @jimp
                      last edited by Oct 27, 2018, 10:24 AM

                      @jimp said in unsupported certificate purpose:

                      Make and use the correct certificates for their role.

                      Certificates for the server must be server certificates. Certificates for users must be user certificates.

                      Ah, I see, this had been the problem to me also. No my VPN works (again). Thanks.

                      If you see this error, the configuration was always wrong, but OpenVPN was less strict about enforcing proper usage in the past.

                      When did that change? Although I usually try to read the changelogs completely, I do not remember having read about that.

                      J 1 Reply Last reply Oct 29, 2018, 2:20 PM Reply Quote 0
                      • J
                        jimp Rebel Alliance Developer Netgate @peter808
                        last edited by Oct 29, 2018, 2:20 PM

                        @peter808 said in unsupported certificate purpose:

                        When did that change? Although I usually try to read the changelogs completely, I do not remember having read about that.

                        That would be a change in OpenVPN itself, not pfSense. Most likely when that changed to OpenVPN 2.4 (which by coincidence was new in pfSense 2.4.0 and later)

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                          [[user:consent.lead]]
                          [[user:consent.not_received]]