• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[SOLVED]OpenVPN to pfSense box/server behind it, error=unsupported certificate

Scheduled Pinned Locked Moved OpenVPN
3 Posts 2 Posters 4.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • P
    pfrickroll
    last edited by Sep 18, 2017, 6:43 PM Sep 13, 2017, 9:22 PM

    Help me to understand what I did wrong.
    Why would certificate be unsupported?

    Wed Sep 13 17:04:50 2017 OpenVPN 2.4.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jul 14 2017
    Wed Sep 13 17:04:50 2017 Windows version 6.2 (Windows 8 or greater) 64bit
    Wed Sep 13 17:04:50 2017 library versions: OpenSSL 1.0.2l  25 May 2017, LZO 2.10
    Wed Sep 13 17:05:07 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
    Wed Sep 13 17:05:07 2017 UDP link local (bound): [AF_INET][undef]:1194
    Wed Sep 13 17:05:07 2017 UDP link remote: [AF_INET]x.x.x.x:1194
    Wed Sep 13 17:05:07 2017 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
    Wed Sep 13 17:05:07 2017 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=US, ST=Maryland, L=Parkville, O=Maryland Healthcare Clinics, emailAddress=vbrodov@mdhealthcorp.com, CN=mhcvpn.com, OU=IT
    Wed Sep 13 17:05:07 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Wed Sep 13 17:05:07 2017 TLS_ERROR: BIO read tls_read_plaintext error
    Wed Sep 13 17:05:07 2017 TLS Error: TLS object -> incoming plaintext read error
    Wed Sep 13 17:05:07 2017 TLS Error: TLS handshake failed
    Wed Sep 13 17:05:07 2017 SIGUSR1[soft,tls-error] received, process restarting
    Wed Sep 13 17:05:12 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
    Wed Sep 13 17:05:12 2017 UDP link local (bound): [AF_INET][undef]:1194
    Wed Sep 13 17:05:12 2017 UDP link remote: [AF_INET]x.x.x.x:1194
    Wed Sep 13 17:05:12 2017 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
    Wed Sep 13 17:05:12 2017 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=US, ST=Maryland, L=Parkville, O=Maryland Healthcare Clinics, emailAddress=cool@beans.com, CN=mhcvpn.com, OU=IT
    Wed Sep 13 17:05:12 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Wed Sep 13 17:05:12 2017 TLS_ERROR: BIO read tls_read_plaintext error
    Wed Sep 13 17:05:12 2017 TLS Error: TLS object -> incoming plaintext read error
    Wed Sep 13 17:05:12 2017 TLS Error: TLS handshake failed
    Wed Sep 13 17:05:12 2017 SIGUSR1[soft,tls-error] received, process restarting
    Wed Sep 13 17:05:17 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
    Wed Sep 13 17:05:17 2017 UDP link local (bound): [AF_INET][undef]:1194
    Wed Sep 13 17:05:17 2017 UDP link remote: [AF_INET]x.x.x.x:1194
    Wed Sep 13 17:05:17 2017 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_ACK_V1)
    Wed Sep 13 17:05:19 2017 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_ACK_V1)
    Wed Sep 13 17:05:22 2017 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)
    Wed Sep 13 17:05:23 2017 TLS Error: Unroutable control packet received from [AF_INET]x.x.x.x:1194 (si=3 op=P_CONTROL_V1)

    Also, under configuration "IPv4 Tunnel Network" do I put local subnet of the client I am trying to connect from?

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Sep 14, 2017, 6:57 PM

      "unsupported certificate purpose" usually means the certificate chosen for your server was not generated as a server certificate, but as a user certificate. You may need to make a new server certificate.

      IPv4 Tunnel network is a unique, unused network only for the VPN clients.

      Your local network you want them to reach goes in IPv4 Local Network

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • P
        pfrickroll
        last edited by Sep 18, 2017, 6:43 PM

        It worked, and you were right it was a user's cert and not the server.

        Thank you!

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received