4. OpenVPN: OpenSSL: error:140890C7 (peer did not return a certificate)

OpenVPN: OpenSSL: error:140890C7 (peer did not return a certificate)

  • F

    I tried to configure a VPN using OpenVPN on my pfSense (latest version 2.4.3-RELEASE-p1 (amd64)), following the guide at: https://vorkbaard.nl/set-up-openvpn-on-pfsense-with-user-certificates-and-active-directory-authentication/

    LDAP authentication works perfectly, as tested from the Diagnostics->Authentication option.

    When I try to connect to the VPN (both on UDP or TCP), the client (Linux, using --verb 3) sees:

    Mon Jul 30 18:19:11 2018 WARNING: file 'server001-tls.key' is group or others accessible
Mon Jul 30 18:19:11 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Mon Jul 30 18:19:11 2018 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Enter Auth Username: myuser
Enter Auth Password: ********
Mon Jul 30 18:19:18 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 30 18:19:18 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Mon Jul 30 18:19:18 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]x.x.x.x:1194
Mon Jul 30 18:19:18 2018 Socket Buffers: R=[87380->87380] S=[16384->16384]
Mon Jul 30 18:19:18 2018 Attempting to establish TCP connection with [AF_INET]x.x.x.x:1194 [nonblock]
Mon Jul 30 18:19:19 2018 TCP connection established with [AF_INET]x.x.x.x:1194
Mon Jul 30 18:19:19 2018 TCP_CLIENT link local: (not bound)
Mon Jul 30 18:19:19 2018 TCP_CLIENT link remote: [AF_INET]x.x.x.x:1194
Mon Jul 30 18:19:19 2018 TLS: Initial packet from [AF_INET]x.x.x.x:1194, sid=65axx884 644xxa2a
Mon Jul 30 18:19:19 2018 VERIFY OK: depth=1, C=US, ST=Texas, L=Houston, O=HOU Lab, emailAddress=admin@mydomain.local, CN=OpenVPN_CA, OU=Testing
Mon Jul 30 18:19:19 2018 VERIFY KU OK
Mon Jul 30 18:19:19 2018 Validating certificate extended key usage
Mon Jul 30 18:19:19 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Mon Jul 30 18:19:19 2018 VERIFY EKU OK
Mon Jul 30 18:19:19 2018 VERIFY X509NAME OK: C=US, ST=Texas, L=Austin, O=Lab, emailAddress=admin@mydomain.local, CN=vpn.mydomain.local, OU=Testing
Mon Jul 30 18:19:19 2018 VERIFY OK: depth=0, C=US, ST=Texas, L=Austin, O=Lab, emailAddress=admin@mydomain.local, CN=vpn.mydomain.local, OU=Testing
Mon Jul 30 18:19:19 2018 Connection reset, restarting [0]
Mon Jul 30 18:19:19 2018 SIGUSR1[soft,connection-reset] received, process restarting
Mon Jul 30 18:19:19 2018 Restart pause, 5 second(s)

    And the server sees this:

    Jul 30 23:19:18 sverver001 openvpn[35836]: TCP connection established with [AF_INET]y.y.y.y:44294
Jul 30 23:19:19 sverver001 openvpn[35836]: y.y.y.y:44294 OpenSSL: error:140890C7:SSL routines:ssl3_get_client_certificate:peer did not return a certificate
Jul 30 23:19:19 sverver001 openvpn[35836]: y.y.y.y:44294 TLS_ERROR: BIO read tls_read_plaintext error
Jul 30 23:19:19 sverver001 openvpn[35836]: y.y.y.y:44294 TLS Error: TLS object -> incoming plaintext read error
Jul 30 23:19:19 sverver001 openvpn[35836]: y.y.y.y:44294 TLS Error: TLS handshake failed
Jul 30 23:19:19 sverver001 openvpn[35836]: y.y.y.y:44294 Fatal TLS error (check_tls_errors_co), restarting

    My server config file looks like this:

    dev ovpns1
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto tcp4-server
cipher AES-256-GCM
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local x.x.x.x
tls-server
server 192.168.100.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server1
username-as-common-name
auth-user-pass-verify "/usr/local/sbin/ovpn_auth_verify user QWN0a12345dG9yeQ== true server1 1194" via-env
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'vpn.mydomain.local' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
push "dhcp-option DOMAIN mydomain.local"
push "dhcp-option DNS 192.168.0.2"
push "redirect-gateway def1"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server1.tls-auth 0
ncp-ciphers AES-256-OFB:AES-256-CFB8:AES-256-CFB1:AES-256-CFB
topology subnet

    and my client config is this one:

    dev tun
persist-tun
persist-key
cipher AES-256-GCM
ncp-ciphers AES-256-OFB:AES-256-CFB8:AES-256-CFB1:AES-256-CFB
auth SHA1
tls-client
client
resolv-retry infinite
remote x.x.x.x 1194 tcp-client
verify-x509-name "vpn.mydomain.local" name
auth-user-pass
ca server001-ca.crt
#cryptoapicert "SUBJ:"
tls-auth server001-tls.key 1
remote-cert-tls server
auth-nocache

    x.x.x.x=VPN Server
    y.y.y.y=VPN Client
    mydomain.local=LDAP domain

    Any ideas ? I am currently testing on TCP to make sure the connection is available (client can see port 1194/tcp open) - I could not test that on UDP. Once it works I will switch it back to UDP.

    Please let me know if you need additional information.

    Thank you very much in advance,

    F4

    0
  • Netgate

    I don't see that you have cert or key directives pointing to the client credentials. The server is expecting the client to provide one because it is in tls-server mode:

    To use TLS mode, each peer that runs OpenVPN should have its own local certificate/key pair ( --cert and --key ), signed by the root certificate which is specified in --ca.

    https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage

    I am currently testing on TCP to make sure the connection is available (client can see port 1194/tcp open) - I could not test that on UDP. Once it works I will switch it back to UDP.

    PCAP on the server on UDP 1194 and try the connection. If you see the traffic, the port is "open."

    0
  • F

    From the OpenVPN Export Utility, I generated a ZIP file (Bundled Configurations -> Archive), that contains the following files:

    server001.ovpn
    server001.p12
    server001-ca.crt
    server001-tls.key

    I was trying these yesterday (see above):

    openvpn --config server001.ovpn --verb3

    If I try:

    openvpn --config server001.ovpn --verb3 --key server001-tls.key --cert server001-ca.crt

    I get:

    Tue Jul 31 14:12:19 2018 OpenVPN 2.4.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Feb 10 2018
Tue Jul 31 14:12:19 2018 library versions: OpenSSL 1.1.0g  2 Nov 2017, LZO 2.08
Enter Auth Username: myuser
Enter Auth Password: ********
Tue Jul 31 14:12:26 2018 Error: private key password verification failed
Tue Jul 31 14:12:26 2018 Exiting due to fatal error

    Should have I gotten other files from the server? Am I using these files incorrectly?

    0
  • Netgate

    I would just use the config exporter, generate an inline config, and use the data in there.

    0
  • F

    Thanks for the help ...

    I have not been using Inline, because I get this when trying to generate:

    The following input errors were detected:

Microsoft Certificate Storage cannot be used with an Inline configuration.
Failed to export config files!

    Any suggestions ?

    0
  • Netgate

    The user certificates are in the .p12 file. Try exporting with Microsoft Certificate Storage enabled. You are exporting for Linux, not Windows!

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy