unsupported certificate purpose



  • Im getting this error unsupported certificate purpose no matter what i do.

    If i create a Server Certificate for a user i see this error on the server side (/var/log/openvpn.log). If i create a User Certificate for the same user i get this error on the Client side. Both OpenVPN configs are made with the build-in wizard which apply the firewall rules.

    I have another pFSense (2.3.3-RELEASE) appliance which works perfectly with OpenVPN and was easy to setup.
    I reinstalled this pFSense and compared the OpenVPN setup with the other pFSense server, but still this error comes up.

    pFSense version: 2.4.3-RELEASE-p1
    OpenVPN version: 2.4.4

    Client Certificate config;

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote 149.210.XXX.XXX 4494 udp
    verify-x509-name "rbs_cert_client" name
    auth-user-pass
    pkcs12 rbsfw01-UDP4-4494.p12
    tls-auth rbsfw01-UDP4-4494-tls.key 1

    Client log;

    Thu Jun 14 08:58:27 2018 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=NL, ST=Noord-Holland, L=Haarlem, O=RBS, emailAddress=info@test.nl, CN=rbs_cert_client, OU=ICT
    Thu Jun 14 08:58:27 2018 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Thu Jun 14 08:58:27 2018 TLS_ERROR: BIO read tls_read_plaintext error
    Thu Jun 14 08:58:27 2018 TLS Error: TLS object -> incoming plaintext read error
    Thu Jun 14 08:58:27 2018 TLS Error: TLS handshake failed

    Server Certificate config;

    dev tun
    persist-tun
    persist-key
    cipher AES-256-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote 149.210.XXX.XXX 5594 udp
    verify-x509-name "rbs_cert_server" name
    auth-user-pass
    pkcs12 rbsfw01-UDP4-5594.p12
    tls-auth rbsfw01-UDP4-5594-tls.key 1
    remote-cert-tls server

    /var/log/openvpn.log

    Jun 13 21:34:39 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=NL, ST=Noord-Holland, L=Haarlem, O=RBS, emailAddress=info@test.nl, CN=CERT, subjectAltName=
    Jun 13 21:34:39 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    Jun 13 21:34:39 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS_ERROR: BIO read tls_read_plaintext error
    Jun 13 21:34:39 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS Error: TLS object -> incoming plaintext read error
    Jun 13 21:34:39 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS Error: TLS handshake failed
    Jun 13 21:36:14 rbsfw01 openvpn[15613]: 5.132.XXX.XXX34986 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=NL, ST=Noord-Holland, L=Haarlem, O=RBS, emailAddress=info@test.nl, CN=RBS CERT, subjectAltName=
    Jun 13 21:36:14 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
    Jun 13 21:36:14 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS_ERROR: BIO read tls_read_plaintext error
    Jun 13 21:36:14 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS Error: TLS object -> incoming plaintext read error
    Jun 13 21:36:14 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS Error: TLS handshake failed
    Jun 13 21:36:44 rbsfw01 openvpn[43354]: 5.132.XXX.XXX:34986 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Jun 13 21:36:44 rbsfw01 openvpn[43354]: 5.132.XXX.XXX:34986 TLS Error: TLS handshake failed

    Any help is appreciated.


  • Rebel Alliance Developer Netgate

    The server side must use a server certificate. The client side needs a user certificate. The client certificate can't be the same as the server certificate.



  • I tried both.

    • Created a CA certificate
    • Created a USER certificate
    • Created a USER
    • Added USER Certificate to USER
    • Used OpenVPN Wizard to create openvpn files

    This gives me a error on the CLIENT side: VERIFY ERROR: depth=0, error=unsupported certificate purpose

    Removed all configs and certificates except CA

    • Created a SERVER certificate
    • Created a USER
    • Added SERVER Certificate to USER
    • Used OpenVPN Wizard to create openvpn files

    This gives me the same error but on the SERVER side: VERIFY ERROR: depth=0, error=unsupported certificate purpose

    Am i doing something wrong? I tried so much i dunno anymore.


  • Rebel Alliance Developer Netgate

    You never said what you did on the server.

    You need to create a server certificate and then select it in the OpenVPN server settings.



  • I used the server cert in the OpenVPN server setting;

    0_1528983961853_36b5ab07-4aef-47f2-b878-46dae3fb8ee2-image.png

    With this setting i get the unsupported certificate purpose on the server side (openvpn.log)


  • Rebel Alliance Developer Netgate

    The server side should be OK then, provided you also have a user (NON-server) certificate on the client at the time.

    If you try to use a server certificate on both it would fail, same as if you used a client certificate on the server. Both of those are unsupported purposes so it fails.



  • Ah ok.. i understand now..

    I did the following now;

    Removed the Server Cert from the User and added a User Certificate.
    Then used openvpn wizard to create a new config. When im done the new config pops up in the server configs(?);

    0_1528988796725_6a5b530c-baed-4951-a636-236ec8303fb9-image.png

    When i download the files and put them in the OpenVPN config folder and connect i still get this on the client side;

    Thu Jun 14 17:09:12 2018 TLS Error: Unroutable control packet received from [AF_INET]149.210.180.XXX:10194 (si=3 op=P_CONTROL_V1)
    Thu Jun 14 17:09:12 2018 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=NL, ST=Noord-Holland, L=Haarlem, O=RBS, emailAddress=info@test, CN=rbs_client, OU=ICT
    Thu Jun 14 17:09:12 2018 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    Thu Jun 14 17:09:12 2018 TLS_ERROR: BIO read tls_read_plaintext error
    Thu Jun 14 17:09:12 2018 TLS Error: TLS object -> incoming plaintext read error
    Thu Jun 14 17:09:12 2018 TLS Error: TLS handshake failed

    Maybe in version 2.3.3 everything worked different then in 2.4.4 or something because when i do exactly the same on the other pFSense box it works flawless...


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy