Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Customizing /etc/inc/openvpn.tls-verify.php

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 416 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Greyhat
      last edited by

      I have a pfSense 2.4.5 bu the problem also existed in 2.4.4r3.
      I need to run multiple OpenVPN servers on a single PKI. Inside the certificate here is noted for which VPNs the certicate is good (OU=...) To achieve this I try to customize /etc/inc/openvpn.tls-verify.php. But if I touch the file, change something and than change it back the OpenVPN Server will no longer work. The script gets executed. I can create syslog entries.
      But I get error logs like:
      Mar 27 17:24:16 openvpn 50318 10.49.132.26:56700 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
      Mar 27 17:24:16 openvpn 50318 10.49.132.26:56700 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
      So somehow I get wrong return codes and do not seem to be able to change them.
      I tried exit(1) which should give a valid result. The problem persists when I revert the file to riginal.
      The file should be a "include" and should be handled by "sed" for the correct VPN. How can I see the resulting files?
      Anybody experienced similar?
      Regards

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Why would you choose to structure the VPN that way? It is needlessly complex. Just use separate CA+Cert structures.

        The OpenSSL error means what it says, the certificate couldn't be verified. The script doesn't influence that, it's up to the CA+Cert matching.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • G
          Greyhat
          last edited by

          I disagree. I used different CAs at one time and than it got really complex. I have a setup with 6 sites world wide and different VPNs with access for different purposes (e.G. Production access, financial access, ...) Many people would get muliple certificates for different purposes. Updating this cerificates can be really confusing for some of those people.
          Including different substrings into the certificate oauthorize different VPNs would be really elegant.
          The cerificates thmselves are fine (I believe). The error is that the script is prohibing it. Is there a difference with the return code and exit code? A return code "1" should be "okay" while it complains about exi code 1.
          I get the error that the script failed even when I revert to the original scrip or if I insert exit(1) at the beginning of the scrip.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.