• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[Solved] Unable to get local issuer certificate: CN=localhost

Scheduled Pinned Locked Moved OpenVPN
8 Posts 3 Posters 17.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • G
    G.D. Wusser Esq.
    last edited by Jul 8, 2014, 3:32 AM Jul 8, 2014, 2:34 AM

    Hi, I am starting to play with OpenVPN server running on pfSense, and I am stuck.

    Using the pfSense Certificate manager, I created the CA, Server Certificate, User Certificate, and revocation list. I created the OpenVPN server, and opened the appropriate UDP port.

    When a remote client tries to connect, here is what I see in the server logs:

    
    Jul 7 19:10:13 	openvpn[70344]: <client ip="">: <port>VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=localhost
    Jul 7 19:10:13 	openvpn[70344]: <client ip="">: <port>TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    Jul 7 19:10:13 	openvpn[70344]: <client ip="">: <port>TLS Error: TLS object -> incoming plaintext read error
    Jul 7 19:10:13 	openvpn[70344]: <client ip="">: <port>TLS Error: TLS handshake failed</port></client></port></client></port></client></port></client> 
    

    Then the client times out after 60 seconds, and tries to connect again.

    Does the server log tell you anything? Why is the “CN=localhost”, that does not match any of the common names I configured?

    Thank you.

    1 Reply Last reply Reply Quote 0
    • D
      divsys
      last edited by Jul 8, 2014, 2:44 AM

      Where did you get the certificate for the remote client?

      -jfp

      1 Reply Last reply Reply Quote 0
      • G
        G.D. Wusser Esq.
        last edited by Jul 8, 2014, 3:13 AM

        @divsys:

        Where did you get the certificate for the remote client?

        I created all certificates in the pfSense Certificate Manager. And then I used the “OpenVPN Client Export Utility” to copy the configuration to the client (four files, ending with: ovpn, p12, ca.crt and tls.key).

        My OpenVPN server configuration is “Remote Access (SSL/TLS + User Auth)” with RADIUS backend. But it does not look like I am getting to the Authentication part, I am getting stuck before that.

        1 Reply Last reply Reply Quote 0
        • G
          G.D. Wusser Esq.
          last edited by Jul 8, 2014, 3:32 AM

          I got it working. The p12 file was password-protected and needed to be installed into the certificate store before OpenVPN client could use it. Thank you.

          1 Reply Last reply Reply Quote 0
          • D
            divsys
            last edited by Jul 8, 2014, 1:48 PM

            Glad it worked out  :)

            -jfp

            1 Reply Last reply Reply Quote 0
            • G
              G.D. Wusser Esq.
              last edited by Jan 22, 2015, 11:10 PM

              I started to get this exact same error again all of the sudden. The server certificate is still in the client store. I do not understand what happened.

              I enabled pfSence SSH shell access not long ago. Could that have screwed with my certificates somehow?

              1 Reply Last reply Reply Quote 0
              • G
                G.D. Wusser Esq.
                last edited by Jan 22, 2015, 11:31 PM

                I reexported and reinstalled the client bundle, and OpenVPN is working again.

                What do you think happened?

                1 Reply Last reply Reply Quote 0
                • S
                  SipriusPT
                  last edited by Mar 14, 2017, 11:10 AM

                  Just to let you know that I had this same error when check Microsoft Certificate Storage. I just have test it in Windows 10.

                  1xSG-4860-1U
                  1xSG-3100
                  2xpfSense Virtual Machines

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received