unsupported certificate purpose
-
The server side must use a server certificate. The client side needs a user certificate. The client certificate can't be the same as the server certificate.
-
I tried both.
- Created a CA certificate
- Created a USER certificate
- Created a USER
- Added USER Certificate to USER
- Used OpenVPN Wizard to create openvpn files
This gives me a error on the CLIENT side: VERIFY ERROR: depth=0, error=unsupported certificate purpose
Removed all configs and certificates except CA
- Created a SERVER certificate
- Created a USER
- Added SERVER Certificate to USER
- Used OpenVPN Wizard to create openvpn files
This gives me the same error but on the SERVER side: VERIFY ERROR: depth=0, error=unsupported certificate purpose
Am i doing something wrong? I tried so much i dunno anymore.
-
You never said what you did on the server.
You need to create a server certificate and then select it in the OpenVPN server settings.
-
I used the server cert in the OpenVPN server setting;
With this setting i get the unsupported certificate purpose on the server side (openvpn.log)
-
The server side should be OK then, provided you also have a user (NON-server) certificate on the client at the time.
If you try to use a server certificate on both it would fail, same as if you used a client certificate on the server. Both of those are unsupported purposes so it fails.
-
Ah ok.. i understand now..
I did the following now;
Removed the Server Cert from the User and added a User Certificate.
Then used openvpn wizard to create a new config. When im done the new config pops up in the server configs(?);
When i download the files and put them in the OpenVPN config folder and connect i still get this on the client side;
Thu Jun 14 17:09:12 2018 TLS Error: Unroutable control packet received from [AF_INET]149.210.180.XXX:10194 (si=3 op=P_CONTROL_V1)
Thu Jun 14 17:09:12 2018 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=NL, ST=Noord-Holland, L=Haarlem, O=RBS, emailAddress=info@test, CN=rbs_client, OU=ICT
Thu Jun 14 17:09:12 2018 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Thu Jun 14 17:09:12 2018 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jun 14 17:09:12 2018 TLS Error: TLS object -> incoming plaintext read error
Thu Jun 14 17:09:12 2018 TLS Error: TLS handshake failedMaybe in version 2.3.3 everything worked different then in 2.4.4 or something because when i do exactly the same on the other pFSense box it works flawless...
-
Same here with 2.44 (it also works with the same certs in 2.3x).
Any hints?
-
Make and use the correct certificates for their role.
Certificates for the server must be server certificates. Certificates for users must be user certificates.
If you see this error, the configuration was always wrong, but OpenVPN was less strict about enforcing proper usage in the past.
-
@jimp said in unsupported certificate purpose:
Make and use the correct certificates for their role.
Certificates for the server must be server certificates. Certificates for users must be user certificates.
Ah, I see, this had been the problem to me also. No my VPN works (again). Thanks.
If you see this error, the configuration was always wrong, but OpenVPN was less strict about enforcing proper usage in the past.
When did that change? Although I usually try to read the changelogs completely, I do not remember having read about that.
-
@peter808 said in unsupported certificate purpose:
When did that change? Although I usually try to read the changelogs completely, I do not remember having read about that.
That would be a change in OpenVPN itself, not pfSense. Most likely when that changed to OpenVPN 2.4 (which by coincidence was new in pfSense 2.4.0 and later)
