[Solved] Unable to get local issuer certificate: CN=localhost

G.D. Wusser Esq.

Hi, I am starting to play with OpenVPN server running on pfSense, and I am stuck.

Using the pfSense Certificate manager, I created the CA, Server Certificate, User Certificate, and revocation list. I created the OpenVPN server, and opened the appropriate UDP port.

When a remote client tries to connect, here is what I see in the server logs:

Jul 7 19:10:13 	openvpn[70344]: <client ip="">: <port>VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=localhost
Jul 7 19:10:13 	openvpn[70344]: <client ip="">: <port>TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Jul 7 19:10:13 	openvpn[70344]: <client ip="">: <port>TLS Error: TLS object -> incoming plaintext read error
Jul 7 19:10:13 	openvpn[70344]: <client ip="">: <port>TLS Error: TLS handshake failed</port></client></port></client></port></client></port></client> 

Then the client times out after 60 seconds, and tries to connect again.

Does the server log tell you anything? Why is the “CN=localhost”, that does not match any of the common names I configured?

Thank you.

divsys

Where did you get the certificate for the remote client?

G.D. Wusser Esq.

@divsys:

Where did you get the certificate for the remote client?

I created all certificates in the pfSense Certificate Manager. And then I used the “OpenVPN Client Export Utility” to copy the configuration to the client (four files, ending with: ovpn, p12, ca.crt and tls.key).

My OpenVPN server configuration is “Remote Access (SSL/TLS + User Auth)” with RADIUS backend. But it does not look like I am getting to the Authentication part, I am getting stuck before that.

G.D. Wusser Esq.

I got it working. The p12 file was password-protected and needed to be installed into the certificate store before OpenVPN client could use it. Thank you.

divsys

Glad it worked out  :)

G.D. Wusser Esq.

I started to get this exact same error again all of the sudden. The server certificate is still in the client store. I do not understand what happened.

I enabled pfSence SSH shell access not long ago. Could that have screwed with my certificates somehow?

G.D. Wusser Esq.

I reexported and reinstalled the client bundle, and OpenVPN is working again.

What do you think happened?

SipriusPT

Just to let you know that I had this same error when check Microsoft Certificate Storage. I just have test it in Windows 10.