Openvpn 21.02 clients cannot connect
-
Hi,
I've upgraded to 21.02 a Netgate SG-3100, now the Openvpn clients, aren't able to connect to the server that is on the SG-3100, the only log that appear in log is:SOURCE WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 2021-03-01T17:06:22+01:00 openvpn[39857]: SOURCE WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 2021-03-01T17:06:26+01:00 openvpn[39857]: SOURCE WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
Please let me know how to fix it, the connection are incoming,but no success, no data on the openvpn status page.
Thanks, BR -
-
Thank you @jimp, but I don't get how to fix it:
[21.02-RELEASE]/root: /usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=1&certdepth=1&certsubject=shortline&serial=123" OK [21.02-RELEASE]/root: /usr/local/sbin/fcgicli -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=2&certdepth=2&certsubject=qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq&serial=123" Something wrong happened while reading request
the link: https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/154 is broken
Mr Rick Frey Replacing fcgicli with php-cgi works for me as well when using self generated cert, intermediate and root CA with lengthy subjects. I added logging statement to log output of each command. fcgicli returns "_Something wrong happened while reading request_" whereas php-cgi returns "OK". Note that I only tested cert depth as I don't use user credentials.)
[21.02-RELEASE]/root: /usr/local/bin/php-cgi -f /etc/inc/openvpn.tls-verify.php -d "servercn=aaa&depth=2&certdepth=2&certsubject=qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq&serial=123" PHP: syntax error, unexpected '=' in Unknown on line 1
What and where exactly the fcgicli should be replaced?
192.168.100.100:1194 TLS Error: TLS handshake failed 192.168.100.100:1194 TLS Error: TLS object -> incoming plaintext read error 192.168.100.100:1194 TLS_ERROR: BIO read tls_read_plaintext error 192.168.100.100:1194 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed 192.168.100.100:1194 TLS Error: TLS handshake failed 192.168.100.100:1194 TLS Error: TLS object -> incoming plaintext read error 192.168.100.100:1194 TLS_ERROR: BIO read tls_read_plaintext error 192.168.100.100:1194 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
-
The link is internal, not broken, but you don't need it.
I linked to comment #11 on that issue which has an attachment that is the patch you need to apply.