Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Verify your configuration

    Scheduled Pinned Locked Moved OpenVPN
    1 Posts 1 Posters 247 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      luufeliipee2
      last edited by luufeliipee2

      Re: OpenVPN server certificate verify failed on pfSense 2.6.0

      Apr 22 13:55:24 openvpn 40410 192.168.0.59:53529 SIGUSR1[soft,tls-error] received, client-instance restarting
      Apr 22 13:55:24 openvpn 40410 192.168.0.59:53529 TLS Error: TLS handshake failed
      Apr 22 13:55:24 openvpn 40410 192.168.0.59:53529 TLS Error: TLS object -> incoming plaintext read error
      Apr 22 13:55:24 openvpn 40410 192.168.0.59:53529 TLS_ERROR: BIO read tls_read_plaintext error
      Apr 22 13:55:24 openvpn 40410 192.168.0.59:53529 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
      Apr 22 13:55:24 openvpn 40410 192.168.0.59:53529 VERIFY SCRIPT ERROR: depth=1, CN=pfSense-CA, C=GB, ST=UK, L=London, O=Test Ltd.
      Apr 22 13:55:24 openvpn 40410 192.168.0.59:53529 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
      Apr 22 13:55:23 openvpn 40410 192.168.0.59:53529 VERIFY WARNING: depth=1, unable to get certificate CRL: CN=pfSense-CA, C=GB, ST=UK, L=London, O=Test Ltd.
      Apr 22 13:55:23 openvpn 40410 192.168.0.59:53529 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=spike, C=GB, ST=UK, L=London, O=Test Ltd.
      Apr 22 13:55:23 openvpn 40410 192.168.0.59:53529 TLS: Initial packet from [AF_INET]192.168.0.59:53529, sid=65d042ea 93aca844

      <<< -- For this case you're using wrong names, you need use "OpenVPNServer" because "OpenVPNServer" is your CN=

      Your config should be:

      dev tun
      persist-tun
      persist-key
      data-ciphers AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
      data-ciphers-fallback AES-256-CBC
      auth SHA512
      tls-client
      client
      resolv-retry infinite
      remote 84.9.xxx.xxx 1194 udp4
      nobind
      verify-x509-name "OpenVPNServer" name
      auth-user-pass
      remote-cert-tls server
      explicit-exit-notify

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.