Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Tls-verify failed to fork?

    Scheduled Pinned Locked Moved OpenVPN
    2 Posts 1 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      doteater
      last edited by

      I have a few openvpn servers set up on different ports.
      I'm trying to get Duo authentication working (https://www.duosecurity.com/docs/openvpn), so I've added another openvpn server on another port for testing.

      For some reason my client is failing to connect to this new server, the issue appears to be this in the server logs:

      Dec 22 14:03:20 	openvpn[72330]: x.x.x.x:64391 WARNING: Failed running command (--tls-verify script): external program fork failed
Dec 22 14:03:20 	openvpn[72330]: x.x.x.x:64391 VERIFY SCRIPT ERROR: depth=1, C=xx, ST=xx, L=xxxxx, O=xxxxx, CN=vpn.example.com, emailAddress=xxx@xxx.xxx
Dec 22 14:03:20 	openvpn[72330]: x.x.x.x:64391 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

      For some reason this hasn't happened on the other servers, which is strange because the only thing that has changed is the port, the subnet, I added the duo plugin to the server config, and added "auth-user-pass" and "reneg-sec 0" to the client. Same certs/CA, everything else is the same.

      How are the other servers verifying TLS successfully while this one can't even manage to fork? Actually the error isn't clear, did it manage to fork but then it couldn't read the cert? The system memory is sitting at 30% so it isn't an issue of not enough memory to fork.

      Let me know if anyone has any ideas, or if I can clarify anything or provide more info!

      1 Reply Last reply Reply Quote 0
      • D
        doteater
        last edited by

        Plot thickens:

        For some reason it seems to tls-verify successfully, but only for the first connection after making a change (which reloads the server config I'm guessing), subsequent connections fail as above:

        openvpn[56619]: x.x.x.x:59134 VERIFY SCRIPT OK: depth=1, C=xx, ST=xx, L=xxxxx, O=xxxxx, CN=vpn.example.com, emailAddress=xxxxx
        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.