Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    OpenVPN cannot connect after the latest upgrade (2.3.11)

    Scheduled Pinned Locked Moved OpenVPN
    7 Posts 2 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      Danixu86
      last edited by

      Hi,

      I've upgraded all the packages of my PfSense box, and one of those packages is the OpenVPN server. After the upgrade I've noticed that clients cannot connect to box, and searching the way to fix the problem I've seen that is the certificate depth check.

      My server is configured to use a CA+Server Certificate+Client Certificate and the cert depht is just one. It was working perfect with that configuration but after the upgrade it started to fail and I had to disable that check.

      I'm sorry but I can't post the log because was rotated (I've to change that), but the error was a TLS error related to certs.
      Now I've disabled that cert depth check and is working, but is strange because the cert depht showed in log is 1 and then 0…:

      May 20 09:05:02 AiMadrid openvpn[62307]: XX.XX.XX.XX:XXXX VERIFY OK: depth=1, C=ES, ST=Madrid, L=Madrid, O=AAA, emailAddress=AAA@AAA.com, CN=aaa.com
May 20 09:05:02 AiMadrid openvpn[62307]: XX.XX.XX.XX:XXXX VERIFY OK: depth=0, C=ES, ST=Madrid, L=Madrid, O=AAA, emailAddress=AAA@AAA.com, CN=BBBBB

      I think that first line is talking about the CA and the second about the Client Cert.

      Someone knows a way to fix this?, because I want to keep the cert depht check active.

      Thanks!!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        huh, what is your question.. That sure looks like it checked the server, while also checking the client.. Which is depth 1.  Other depths would be that it allows for intermediate CAs between the client cert and your CA.

        That looks correct to me, I see the same in my logs..

        May 20 05:36:03 openvpn 7570 64.134.190.5:61525 VERIFY OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.com, CN=johnpoz
        May 20 05:36:03 openvpn 7570 64.134.190.5:61525 VERIFY SCRIPT OK: depth=0, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.com, CN=johnpoz
        May 20 05:36:03 openvpn 7570 64.134.190.5:61525 VERIFY OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.com, CN=openvpn
        May 20 05:36:03 openvpn 7570 64.134.190.5:61525 VERIFY SCRIPT OK: depth=1, C=US, ST=IL, L=Schaumburg, O=Home, emailAddress=johnpoz@snipped.com, CN=openvpn

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • D
          Danixu86
          last edited by

          Thanks!!

          That is the question. If the certificate depth is 1 why it fails when I set the depth check to 1.
          There are not intermediate CA between the root CA and the client certificate, but the only way to make it work is disable the depth check. If I set the depth to one it fails, and I've tested all other depths and still failing.
          It was working perfect until now with latest version, so I think that is any problem related with latest version.

          Greetings!!

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Confused what you posted was it checked..

            Can you post a failure?  I am still on previous open, since have not update to 2.3.1 until I get home tonight.  I don't want to risk updating while remote.. Normally I would but there was a thread about freerad not starting, and don't want to risk taking out the wifi while I am remote.  Wife would kill me ;)

            I am using 2.3.11 client, just pfsense version has not been bumped up until I update when I get home.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • D
              Danixu86
              last edited by

              For now is working and I can't take a the log info (was cleared by pfSense), but next monday I'll try to make it fail for a while to get the logs.

              Greetings!!

              1 Reply Last reply Reply Quote 0
              • D
                Danixu86
                last edited by

                Hi,

                I've set the Cert Depth Check to one, and this is what I get:

                May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:50963, sid=69cb1a65 66299403
                May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 WARNING: Failed running command (–tls-verify script): external program exited with error status: 1
                May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 VERIFY SCRIPT ERROR: depth=1, C=ES, ST=Madrid, L=Madrid, O=Company, emailAddress=aaa@aaa.com, CN=bbb.com
                May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
                May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 TLS_ERROR: BIO read tls_read_plaintext error
                May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 TLS Error: TLS object -> incoming plaintext read error
                May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 TLS Error: TLS handshake failed
                May 23 09:27:41 AiMadrid openvpn[18987]: XX.XX.XX.XX:50963 SIGUSR1[soft,tls-error] received, client-instance restarting

                Disabling the Cert Depth Check it works fine again.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  "SSL3_GET_CLIENT_CERTIFICATE:**no certificate returned[b/]"

                  Seems kind of heard to validate if there is no cert presented.**

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.