• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Certificate does not have key usage extension

Scheduled Pinned Locked Moved OpenVPN
22 Posts 6 Posters 8.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    testsia
    last edited by testsia Apr 22, 2022, 11:19 AM Apr 22, 2022, 11:18 AM

    Hi friends!
    I ran into a problem!
    I have been working on PFSENSE 2.4.5 for a long time.
    I had several openvpn connections configured (SSL/TLS remote access). Users connected through this connection to my network. I used self-written CA, Server, Client certificates. The server on which I am generating certificates is not PFSENSE, it is a standalone independent server that is not connected to the network.
    On version PFSENSE 2.4.5 everything works fine!

    I decided to reinstall the PFSENSE server to the latest PFSENSE 2.6.0. The server was installed and restored using a backup.

    I found that users can no longer connect to my network.

    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 UDPv4 READ [22] from [AF_INET]91.203.115.5:42662: P_ACK_V1 kid=0 [ 0 ]
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 UDPv4 READ [187] from [AF_INET]91.203.115.5:42662: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=173
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 UDPv4 WRITE [1200] to [AF_INET]91.203.115.5:42662: P_CONTROL_V1 kid=0 [ 1 ] pid=1 DATA len=1174
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 UDPv4 WRITE [1060] to [AF_INET]91.203.115.5:42662: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1046
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 UDPv4 READ [22] from [AF_INET]91.203.115.5:42662: P_ACK_V1 kid=0 [ 1 ]
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 UDPv4 READ [1200] from [AF_INET]91.203.115.5:42662: P_CONTROL_V1 kid=0 [ 2 ] pid=2 DATA len=1174
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 UDPv4 WRITE [22] to [AF_INET]91.203.115.5:42662: P_ACK_V1 kid=0 [ 2 ]
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 UDPv4 READ [943] from [AF_INET]91.203.115.5:42662: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=929
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 VERIFY WARNING: depth=0, unable to get certificate CRL: C=US, ST=CA, L=CA, O=CA, OU=CA, CN=Mob-1299
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 VERIFY WARNING: depth=1, unable to get certificate CRL: C=CA, ST=CA, L=CA, O=CA, OU=CA, CN=CA
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 VERIFY SCRIPT OK: depth=1, C=CA, ST=CA, L=CA, O=CA, OU=CA, CN=CA
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 VERIFY OK: depth=1, C=CA, ST=CA, L=CA, O=CA, OU=CA, CN=CA
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 Certificate does not have key usage extension
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 VERIFY KU ERROR
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 TLS_ERROR: BIO read tls_read_plaintext error
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 TLS Error: TLS object -> incoming plaintext read error
    Apr 22 13:45:48	openvpn	12909	91.203.115.5:42662 TLS Error: TLS handshake failed
    

    I rebooted the server, disabled and enabled the VPN, but it did not work!
    But when I went into the OPENVPN settings and made changes (changing the port or changing the encryption type or setting the log verbosity level) - any change. After that, having returned this change back, my OPENVPN starts working!!!
    Users can connect again.

    But when I rebooted the server, I ran into the same problem again.
    I made changes to the configuration again, then returned it back. Users are connected.
    If I stop the OPENVPN service and start it back it doesn't work. Only a change in the OPENVPN configuration works.

    I read a lot of forums, one of them recommends disabling "Certificate Depth"
    I turned it off but it still doesn't work for me.
    Help solve the problem!

    Server:

    dev ovpns3
    verb 6
    dev-type tun
    dev-node /dev/tun3
    writepid /var/run/openvpn_server3.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp4
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    client-connect /usr/local/sbin/openvpn.attributes.sh
    client-disconnect /usr/local/sbin/openvpn.attributes.sh
    local 187.XX.XX.XX
    tls-server
    server 10.10.15.0 255.255.255.0
    client-config-dir /var/etc/openvpn/server3/csc
    tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'SERVER-PHONE-MOB' 1"
    lport 11956
    management /var/etc/openvpn/server3/sock unix
    push "dhcp-option DNS 192.168.120.1"
    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.8.8"
    push "redirect-gateway def1"
    remote-cert-tls client
    capath /var/etc/openvpn/server3/ca
    cert /var/etc/openvpn/server3/cert 
    key /var/etc/openvpn/server3/key 
    dh /etc/dh-parameters.1024
    data-ciphers AES-128-GCM:BF-CBC
    data-ciphers-fallback BF-CBC
    allow-compression asym
    topology subnet
    

    Client:

    persist-tun
    persist-key
    cipher BF-CBC
    auth SHA1
    tls-client
    client 
    remote 187.XX.XX.XX 11956 udp
    verify-x509-name "SERVER-PHONE-MOB" name
    auth-nocache
    tls-version-min 1.2
    <ca>
    
    V 1 Reply Last reply Apr 22, 2022, 11:48 AM Reply Quote 0
    • V
      viragomann @testsia
      last edited by Apr 22, 2022, 11:48 AM

      @testsia
      Seems to be this issue: https://redmine.pfsense.org/issues/13056

      There is already a patch available for it: https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/48cf54f850c5bf4fe26a8e33deb449807e71c204/diff

      T 1 Reply Last reply Apr 22, 2022, 12:01 PM Reply Quote 1
      • T
        testsia @viragomann
        last edited by Apr 22, 2022, 12:01 PM

        @viragomann said in Certificate does not have key usage extension:

        @testsia
        Seems to be this issue: https://redmine.pfsense.org/issues/13056

        There is already a patch available for it: https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/48cf54f850c5bf4fe26a8e33deb449807e71c204/diff

        Maybe this will help solve my problem!
        I will try to make changes to the code, but this must be done outside of business hours. Thank you friend.

        V 1 Reply Last reply Apr 22, 2022, 12:21 PM Reply Quote 0
        • V
          viragomann @testsia
          last edited by Apr 22, 2022, 12:21 PM

          @testsia
          Install the System_Patches package. It patches the code automatically for you, by stating the patch ID.

          T 1 Reply Last reply Apr 22, 2022, 1:17 PM Reply Quote 0
          • T
            testsia @viragomann
            last edited by Apr 22, 2022, 1:17 PM

            @viragomann
            I thought that I would be able to solve the problem, but it's not.
            I applied the patch, checked the vpn_openvpn_client.php and vpn_openvpn_server.php files, indeed the changes were made to the file.
            But after applying the patch, users cannot connect, I rebooted the VPN, but there is no connection.
            I made changes to the VPN configuration but that didn't help either. I removed the patch. The users have reconnected. Perhaps a reboot of Pfsense is needed?

            V 1 Reply Last reply Apr 22, 2022, 1:25 PM Reply Quote 0
            • V
              viragomann @testsia
              last edited by Apr 22, 2022, 1:25 PM

              @testsia said in Certificate does not have key usage extension:

              Perhaps a reboot of Pfsense is needed?

              I'd try it. Otherwise some hints in the logs?

              T 1 Reply Last reply Apr 22, 2022, 1:33 PM Reply Quote 0
              • T
                testsia @viragomann
                last edited by testsia Apr 22, 2022, 1:35 PM Apr 22, 2022, 1:33 PM

                @viragomann said in Certificate does not have key usage extension:

                @testsia said in Certificate does not have key usage extension:

                Perhaps a reboot of Pfsense is needed?

                I'd try it. Otherwise some hints in the logs?

                I enable debug . Verbosity level 8
                ```

                openvpn	76521	91.203.115.5:57167 ACK reliable_send ID 1 (size=1178 to=2)
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 ACK reliable_send_timeout 2 [2] 1
                Apr 22 16:30:00	openvpn	76521	PO_CTL rwflags=0x0002 ev=7 arg=0x002b7428
                Apr 22 16:30:00	openvpn	76521	PO_CTL rwflags=0x0000 ev=6 arg=0x002b6724
                Apr 22 16:30:00	openvpn	76521	PO_CTL rwflags=0x0001 ev=5 arg=0x002b6728
                Apr 22 16:30:00	openvpn	76521	PO_CTL rwflags=0x0001 ev=11 arg=0x002b672c
                Apr 22 16:30:00	openvpn	76521	I/O WAIT Tr|Tw|Sr|SW [1/15005]
                Apr 22 16:30:00	openvpn	76521	PO_WAIT[0,0] fd=7 rev=0x00000004 rwflags=0x0002 arg=0x002b7428
                Apr 22 16:30:00	openvpn	76521	I/O WAIT status=0x0002
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 UDPv4 WRITE [1188] to [AF_INET]91.203.115.5:57167: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=1174
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 ACK reliable_can_send active=1 current=0 : [2] 1
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 BIO read tls_read_ciphertext 1174 bytes
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 ACK mark active outgoing ID 2
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 ACK reliable_can_send active=2 current=1 : [3] 1 2
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 ACK reliable_send ID 2 (size=1178 to=2)
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 ACK reliable_send_timeout 2 [3] 1 2
                Apr 22 16:30:00	openvpn	76521	PO_CTL rwflags=0x0002 ev=7 arg=0x002b7428
                Apr 22 16:30:00	openvpn	76521	PO_CTL rwflags=0x0000 ev=6 arg=0x002b6724
                Apr 22 16:30:00	openvpn	76521	PO_CTL rwflags=0x0001 ev=5 arg=0x002b6728
                Apr 22 16:30:00	openvpn	76521	PO_CTL rwflags=0x0001 ev=11 arg=0x002b672c
                Apr 22 16:30:00	openvpn	76521	I/O WAIT Tr|Tw|Sr|SW [1/14912]
                Apr 22 16:30:00	openvpn	76521	PO_WAIT[0,0] fd=7 rev=0x00000004 rwflags=0x0002 arg=0x002b7428
                Apr 22 16:30:00	openvpn	76521	I/O WAIT status=0x0002
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 UDPv4 WRITE [1188] to [AF_INET]91.203.115.5:57167: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1174
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 ACK reliable_can_send active=2 current=0 : [3] 1 2
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 BIO read tls_read_ciphertext 14 bytes
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 ACK mark active outgoing ID 3
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 ACK reliable_can_send active=3 current=1 : [4] 1 2 3
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 ACK reliable_send ID 3 (size=18 to=2)
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 ACK reliable_send_timeout 2 [4] 1 2 3
                Apr 22 16:30:00	openvpn	76521	PO_CTL rwflags=0x0002 ev=7 arg=0x002b7428
                Apr 22 16:30:00	openvpn	76521	PO_CTL rwflags=0x0000 ev=6 arg=0x002b6724
                Apr 22 16:30:00	openvpn	76521	PO_CTL rwflags=0x0001 ev=5 arg=0x002b6728
                Apr 22 16:30:00	openvpn	76521	PO_CTL rwflags=0x0001 ev=11 arg=0x002b672c
                Apr 22 16:30:00	openvpn	76521	I/O WAIT Tr|Tw|Sr|SW [1/14822]
                Apr 22 16:30:00	openvpn	76521	PO_WAIT[0,0] fd=7 rev=0x00000004 rwflags=0x0002 arg=0x002b7428
                Apr 22 16:30:00	openvpn	76521	I/O WAIT status=0x0002
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 UDPv4 WRITE [28] to [AF_INET]91.203.115.5:57167: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=14
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 ACK reliable_can_send active=3 current=0 : [4] 1 2 3
                Apr 22 16:30:00	openvpn	76521	91.203.115.5:57167 ACK reliable_send_timeout 2 [4] 1 2 3
                Apr 22 16:30:00	openvpn	76521	PO_CTL rwflags=0x0001 ev=7 arg=0x002b7428
                Apr 22 16:30:00	openvpn	76521	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6724
                Apr 22 16:30:00	openvpn	76521	PO_CTL rwflags=0x0001 ev=5 arg=0x002b6728
                Apr 22 16:30:00	openvpn	76521	PO_CTL rwflags=0x0001 ev=11 arg=0x002b672c
                Apr 22 16:30:00	openvpn	76521	I/O WAIT TR|Tw|SR|Sw [1/14756]
                Apr 22 16:30:01	openvpn	76521	PO_WAIT[0,0] fd=7 rev=0x00000001 rwflags=0x0001 arg=0x002b7428
                Apr 22 16:30:01	openvpn	76521	I/O WAIT status=0x0001
                Apr 22 16:30:01	openvpn	76521	MULTI: REAP range 80 -> 96
                Apr 22 16:30:01	openvpn	76521	GET INST BY REAL: 91.203.115.5:57167 [ok]
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 UDPv4 READ [22] from [AF_INET]91.203.115.5:57167: P_ACK_V1 kid=0 [ 1 ]
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK received for pid 1, deleting from send buffer
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 TIMER: coarse timer wakeup 1 seconds
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK reliable_can_send active=2 current=0 : [4] 2 3
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK reliable_send_timeout 1 [4] 2 3
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=7 arg=0x002b7428
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6724
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=5 arg=0x002b6728
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=11 arg=0x002b672c
                Apr 22 16:30:01	openvpn	76521	I/O WAIT TR|Tw|SR|Sw [0/905546]
                Apr 22 16:30:01	openvpn	76521	PO_WAIT[0,0] fd=7 rev=0x00000001 rwflags=0x0001 arg=0x002b7428
                Apr 22 16:30:01	openvpn	76521	I/O WAIT status=0x0001
                Apr 22 16:30:01	openvpn	76521	GET INST BY REAL: 91.203.115.5:57167 [ok]
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 UDPv4 READ [22] from [AF_INET]91.203.115.5:57167: P_ACK_V1 kid=0 [ 2 ]
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK received for pid 2, deleting from send buffer
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK reliable_can_send active=1 current=0 : [4] 3
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK reliable_send_timeout 1 [4] 3
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=7 arg=0x002b7428
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6724
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=5 arg=0x002b6728
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=11 arg=0x002b672c
                Apr 22 16:30:01	openvpn	76521	I/O WAIT TR|Tw|SR|Sw [0/900672]
                Apr 22 16:30:01	openvpn	76521	PO_WAIT[0,0] fd=7 rev=0x00000001 rwflags=0x0001 arg=0x002b7428
                Apr 22 16:30:01	openvpn	76521	I/O WAIT status=0x0001
                Apr 22 16:30:01	openvpn	76521	GET INST BY REAL: 91.203.115.5:57167 [ok]
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 UDPv4 READ [1276] from [AF_INET]91.203.115.5:57167: P_CONTROL_V1 kid=0 [ 3 ] pid=2 DATA len=1250
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK received for pid 3, deleting from send buffer
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK read ID 2 (buf->len=1250)
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK RWBS rel->size=8 rel->packet_id=00000002 id=00000002 ret=1
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK mark active incoming ID 2
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK acknowledge ID 2 (ack->len=1)
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK reliable_can_send active=0 current=0 : [4]
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 BIO write tls_write_ciphertext 1250 bytes
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK reliable_can_send active=0 current=0 : [4]
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK write ID 2 (ack->len=1, n=1)
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK reliable_send_timeout 604800 [4]
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0002 ev=7 arg=0x002b7428
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0000 ev=6 arg=0x002b6724
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=5 arg=0x002b6728
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=11 arg=0x002b672c
                Apr 22 16:30:01	openvpn	76521	I/O WAIT Tr|Tw|Sr|SW [0/889734]
                Apr 22 16:30:01	openvpn	76521	PO_WAIT[0,0] fd=7 rev=0x00000004 rwflags=0x0002 arg=0x002b7428
                Apr 22 16:30:01	openvpn	76521	I/O WAIT status=0x0002
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 UDPv4 WRITE [22] to [AF_INET]91.203.115.5:57167: P_ACK_V1 kid=0 [ 2 ]
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK reliable_can_send active=0 current=0 : [4]
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK reliable_send_timeout 604800 [4]
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=7 arg=0x002b7428
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6724
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=5 arg=0x002b6728
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=11 arg=0x002b672c
                Apr 22 16:30:01	openvpn	76521	I/O WAIT TR|Tw|SR|Sw [0/889660]
                Apr 22 16:30:01	openvpn	76521	PO_WAIT[0,0] fd=7 rev=0x00000001 rwflags=0x0001 arg=0x002b7428
                Apr 22 16:30:01	openvpn	76521	I/O WAIT status=0x0001
                Apr 22 16:30:01	openvpn	76521	GET INST BY REAL: 91.203.115.5:57167 [ok]
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 UDPv4 READ [1264] from [AF_INET]91.203.115.5:57167: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=1250
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK read ID 3 (buf->len=1250)
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK RWBS rel->size=8 rel->packet_id=00000003 id=00000003 ret=1
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK mark active incoming ID 3
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK acknowledge ID 3 (ack->len=1)
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 ACK reliable_can_send active=0 current=0 : [4]
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 BIO write tls_write_ciphertext 1250 bytes
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 SSL state (accept): TLSv1.3 early data
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 VERIFY WARNING: depth=0, unable to get certificate CRL: C=US, ST=CA, L=CA, O=CA, OU=CA, CN=Mob-1244
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 VERIFY WARNING: depth=1, unable to get certificate CRL: C=CA, ST=CA, L=CA, O=CA, OU=CA, CN=CA
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 VERIFY SCRIPT OK: depth=1, C=CA, ST=CA, L=CA, O=CA, OU=CA, CN=CA
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 VERIFY OK: depth=1, C=CA, ST=CA, L=CA, O=CA, OU=CA, CN=CA
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 Certificate does not have key usage extension
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 VERIFY KU ERROR
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 SSL alert (write): fatal: unknown CA
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 TLS_ERROR: BIO read tls_read_plaintext error
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 TLS Error: TLS object -> incoming plaintext read error
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 TLS Error: TLS handshake failed
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 PID packet_id_free
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 PID packet_id_free
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 PID packet_id_free
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 PID packet_id_init seq_backtrack=64 time_backtrack=15
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 PID packet_id_init seq_backtrack=64 time_backtrack=15
                Apr 22 16:30:01	openvpn	76521	91.203.115.5:57167 SIGUSR1[soft,tls-error] received, client-instance restarting
                Apr 22 16:30:01	openvpn	76521	MULTI: multi_close_instance called
                Apr 22 16:30:01	openvpn	76521	PID packet_id_free
                Apr 22 16:30:01	openvpn	76521	PID packet_id_free
                Apr 22 16:30:01	openvpn	76521	PID packet_id_free
                Apr 22 16:30:01	openvpn	76521	PID packet_id_free
                Apr 22 16:30:01	openvpn	76521	PID packet_id_free
                Apr 22 16:30:01	openvpn	76521	PID packet_id_free
                Apr 22 16:30:01	openvpn	76521	PID packet_id_free
                Apr 22 16:30:01	openvpn	76521	PID packet_id_free
                Apr 22 16:30:01	openvpn	76521	PID packet_id_free
                Apr 22 16:30:01	openvpn	76521	SCHEDULE: schedule_find_least NULL
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=7 arg=0x002b7428
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6724
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=5 arg=0x002b6728
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=11 arg=0x002b672c
                Apr 22 16:30:01	openvpn	76521	I/O WAIT TR|Tw|SR|Sw [10/0]
                Apr 22 16:30:01	openvpn	76521	PO_WAIT[0,0] fd=7 rev=0x00000001 rwflags=0x0001 arg=0x002b7428
                Apr 22 16:30:01	openvpn	76521	I/O WAIT status=0x0001
                Apr 22 16:30:01	openvpn	76521	TLS State Error: No TLS state for client [AF_INET]91.203.115.5:57167, opcode=4
                Apr 22 16:30:01	openvpn	76521	GET INST BY REAL: 91.203.115.5:57167 [failed]
                Apr 22 16:30:01	openvpn	76521	SCHEDULE: schedule_find_least NULL
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=7 arg=0x002b7428
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=6 arg=0x002b6724
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=5 arg=0x002b6728
                Apr 22 16:30:01	openvpn	76521	PO_CTL rwflags=0x0001 ev=11 arg=0x002b672c
                Apr 22 16:30:01	openvpn	76521	I/O WAIT TR|Tw|SR|Sw [10/0]
                Apr 22 16:30:02	openvpn	76521	PO_WAIT[0,0] fd=7 rev=0x00000001 rwflags=0x0001 arg=0x002b7428
                Apr 22 16:30:02	openvpn	76521	I/O WAIT status=0x0001
                Apr 22 16:30:02	openvpn	76521	MULTI: REAP range 96 -> 112
                
                
                Debug 3
                
                
                Apr 22 16:34:24	openvpn	16094	91.203.115.5:61066 TLS: Initial packet from [AF_INET]91.203.115.5:61066, sid=e6490326 26fe8805
                Apr 22 16:34:24	openvpn	16094	91.203.115.5:61066 VERIFY WARNING: depth=0, unable to get certificate CRL: C=US, ST=CA, L=CA, O=CA, OU=CA, CN=Mob-1244
                Apr 22 16:34:24	openvpn	16094	91.203.115.5:61066 VERIFY WARNING: depth=1, unable to get certificate CRL: C=CA, ST=CA, L=CA, O=CA, OU=CA, CN=CA
                Apr 22 16:34:24	openvpn	16094	91.203.115.5:61066 VERIFY SCRIPT OK: depth=1, C=CA, ST=CA, L=CA, O=CA, OU=CA, CN=CA
                Apr 22 16:34:24	openvpn	16094	91.203.115.5:61066 VERIFY OK: depth=1, C=CA, ST=CA, L=CA, O=CA, OU=CA, CN=CA
                Apr 22 16:34:24	openvpn	16094	91.203.115.5:61066 Certificate does not have key usage extension
                Apr 22 16:34:24	openvpn	16094	91.203.115.5:61066 VERIFY KU ERROR
                Apr 22 16:34:24	openvpn	16094	91.203.115.5:61066 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
                Apr 22 16:34:24	openvpn	16094	91.203.115.5:61066 TLS_ERROR: BIO read tls_read_plaintext error
                Apr 22 16:34:24	openvpn	16094	91.203.115.5:61066 TLS Error: TLS object -> incoming plaintext read error
                Apr 22 16:34:24	openvpn	16094	91.203.115.5:61066 TLS Error: TLS handshake failed
                Apr 22 16:34:24	openvpn	16094	91.203.115.5:61066 SIGUSR1[soft,tls-error] received, client-instance restarting
                
                V 1 Reply Last reply Apr 22, 2022, 1:43 PM Reply Quote 0
                • V
                  viragomann @testsia
                  last edited by Apr 22, 2022, 1:43 PM

                  @testsia
                  That was with the patch applied? It's exactly the same error as above.

                  T 1 Reply Last reply Apr 22, 2022, 1:48 PM Reply Quote 0
                  • T
                    testsia @viragomann
                    last edited by Apr 22, 2022, 1:48 PM

                    @viragomann
                    Yes with a patch! I also noticed that nothing has changed in the logs. Perhaps a server restart is needed?

                    I had never used patches before, I didn't know anything about them. Thanks for the good experience!

                    V 1 Reply Last reply Apr 22, 2022, 1:52 PM Reply Quote 0
                    • V
                      viragomann @testsia
                      last edited by Apr 22, 2022, 1:52 PM

                      @testsia said in Certificate does not have key usage extension:

                      Perhaps a server restart is needed?

                      A restart of OpenVPN server for sure, but I don't think that rebooting the box will be needed.

                      T 1 Reply Last reply Apr 22, 2022, 1:58 PM Reply Quote 0
                      • T
                        testsia @viragomann
                        last edited by Apr 22, 2022, 1:58 PM

                        @viragomann
                        Do I need to restart all the OPENVPN services or is the one "OpenVPN server: Mobil-Video-CCTV_NEW"on which I conduct experiments enough?
                        I reloaded one"OpenVPN server: Mobil-Video-CCTV_NEW".Снимок экрана 2022-04-22 в 4.56.06 PM.png

                        V 1 Reply Last reply Apr 22, 2022, 2:03 PM Reply Quote 0
                        • V
                          viragomann @testsia
                          last edited by Apr 22, 2022, 2:03 PM

                          @testsia
                          Yes, it's sufficient to restart a single service, but the changes only affects to the restarted services naturally.

                          T 1 Reply Last reply Apr 22, 2022, 2:05 PM Reply Quote 0
                          • T
                            testsia @viragomann
                            last edited by Apr 22, 2022, 2:05 PM

                            @viragomann
                            Then I don't know what to do with this problem!
                            I will try to restart the whole server tonight

                            T 1 Reply Last reply Apr 25, 2022, 8:41 AM Reply Quote 0
                            • T
                              testsia @testsia
                              last edited by Apr 25, 2022, 8:41 AM

                              Hey!
                              I rebooted the server but my problem was not solved.
                              I went further in my experiments.
                              I have generated a new "CA" certificate. Generated a certificate for the server, specified them in my OPENVPN configuration and now it works fine. But as soon as I return certificates that were not generated on PFSENSE, my problem returns. Does anyone have any ideas how to solve the problem?

                              1 Reply Last reply Reply Quote 0
                              • T
                                testsia
                                last edited by Apr 27, 2022, 1:20 PM

                                @testsia
                                Hi friends!
                                I went further in my experiments.
                                I installed Pfsense version 2.5, performed a restore from a backup.

                                And OPENVPN works as expected!
                                I can conclude that the problem is Pfsense version 2.6.
                                I don't know where to write to inform the developers. But the problem is exactly Pfsense version 2.6.
                                It does not work with certificates that were generated outside Pfsense.

                                T 1 Reply Last reply May 2, 2022, 3:07 PM Reply Quote 0
                                • T
                                  testsia @testsia
                                  last edited by May 2, 2022, 3:07 PM

                                  @testsia
                                  I determined what the problem is.
                                  My client certificates do not have serverAuth and clientAuth ExtendedKeyUSage ("EKU") attribytes.
                                  In version 2.6 this check is mandatory

                                  Certificate does not have key usage extension
                                  91.203.115.5:56352 VERIFY KU ERROR
                                  

                                  Who knows how I can disable this check on the server???
                                  Снимок экрана 2022-05-02 в 1.11.41 PM.png

                                  1 Reply Last reply Reply Quote 0
                                  • jimpJ
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by jimp May 2, 2022, 6:49 PM May 2, 2022, 6:46 PM

                                    @testsia said in Certificate does not have key usage extension:

                                    Who knows how I can disable this check on the server???

                                    That was already answered upthread.

                                    • Read https://redmine.pfsense.org/issues/13056
                                    • Install the System Patches package
                                    • Create entries in the System Patches package for 48cf54f850c5bf4fe26a8e33deb449807e71c204 and 47f2f4060d9e5b71c5c69356b61191fd2931383c
                                    • Fetch and apply both patches
                                    • Uncheck "Client Certificate Key Usage Validation" in the OpenVPN server and Save

                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    T X S 3 Replies Last reply May 3, 2022, 11:44 AM Reply Quote 4
                                    • T
                                      testsia @jimp
                                      last edited by May 3, 2022, 11:44 AM

                                      @jimp said in Certificate does not have key usage extension:

                                      @testsia said in Certificate does not have key usage extension:

                                      Who knows how I can disable this check on the server???

                                      That was already answered upthread.

                                      • Read https://redmine.pfsense.org/issues/13056
                                      • Install the System Patches package
                                      • Create entries in the System Patches package for 48cf54f850c5bf4fe26a8e33deb449807e71c204 and 47f2f4060d9e5b71c5c69356b61191fd2931383c
                                      • Fetch and apply both patches
                                      • Uncheck "Client Certificate Key Usage Validation" in the OpenVPN server and Save

                                      I am very grateful to you!
                                      You helped solve my problem!
                                      Thanks!!!

                                      W 1 Reply Last reply Jun 30, 2022, 6:59 PM Reply Quote 0
                                      • W
                                        webdawg @testsia
                                        last edited by webdawg Aug 4, 2022, 5:54 PM Jun 30, 2022, 6:59 PM


                                        1 Reply Last reply Reply Quote 0
                                        • X
                                          Ximulate @jimp
                                          last edited by Jul 11, 2022, 1:48 PM

                                          @jimp said in Certificate does not have key usage extension:

                                          Uncheck "Client Certificate Key Usage Validation" in the OpenVPN server and Save

                                          Does this create a security issue? If so, is there a proper way within pfSense to set-up the certificate so that the EKU works?

                                          The post at the link below indicates it does:
                                          https://superuser.com/questions/1446201/openvpn-certificate-does-not-have-key-usage-extension

                                          1 Reply Last reply Reply Quote 0
                                          • First post
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                            [[user:consent.lead]]
                                            [[user:consent.not_received]]