TLS Error: TLS handshake failed



  • Had a client order a SG-2440, set it up with static ip, alls good.

    Setup self signed CA and cert. Added users, added the cert to the user. Used the wizard to setup OpenVPN, making sure that I checked the boxes to add the rules  to the firewall. Installed the OpenVPN Client Export Utility and exported the Viscosity bundle.

    Transferred the viscosity bundle to the client machine, installed it and tried to connect. No go. On the client side it said: TLS Error: TLS handshake failed.
    I checked the OpenVPN logs and saw the following errors: VERIFY ERROR: depth=0, error=unsupported certificate purpose
    TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    TLS Error: TLS object -> incoming plaintext read error
    TLS Error: TLS handshake failed

    I also tried using the OpenVPN wizard to create the CA and certificates but that didn't work either.

    I checked the forums, found a few other reports of this issue but no definitive solutions. Is there a solution to this problem?


  • Rebel Alliance Global Moderator

    " error=unsupported certificate purpose"

    You have the wrong certs selected..  I would delete what you did and walk through the wizard!!  It walks you through creating a CA, Server cert and then you create a client cert.



  • I did use the wizard as stated above. Never had any trouble before.


  • Rebel Alliance Global Moderator

    well you created a wrong cert from that error or picked the wrong one in the dropdown box on the openvpn setup.. You need to create a SERVER cert.. Please post up the certs your using.

    So see attached.  My CA I created for openvpn use, then the server cert that was created and a user account cert.



  • Rebel Alliance Developer Netgate

    When making the cert, you need to pick "Server Certificate" – it's very easy to overlook. When setting up test VMs I'd say I forget it on the first try about 2/3 of the time :-)


  • Rebel Alliance Global Moderator

    which is why I asked if he went through the wizard - the wizard creates SERVER cert.. Just ran through it again as test..  Never asks you - it auto creates the correct one.. So if you create a new CA, and next step create the cert its going to be a server cert.

    If he ran through the wizard after trying to create his own certs then yeah he could of messed it up with your example.




  • See attached screenshots. I am making the correct certificates but no matter which method I use, the end results are the same.

    ![Screen Shot 2015-09-10 at 8.52.11 PM.jpg](/public/imported_attachments/1/Screen Shot 2015-09-10 at 8.52.11 PM.jpg)
    ![Screen Shot 2015-09-10 at 8.52.11 PM.jpg_thumb](/public/imported_attachments/1/Screen Shot 2015-09-10 at 8.52.11 PM.jpg_thumb)
    ![Screen Shot 2015-09-10 at 9.01.40 PM.jpg](/public/imported_attachments/1/Screen Shot 2015-09-10 at 9.01.40 PM.jpg)
    ![Screen Shot 2015-09-10 at 9.01.40 PM.jpg_thumb](/public/imported_attachments/1/Screen Shot 2015-09-10 at 9.01.40 PM.jpg_thumb)



  • One other odd gotcha I've run into:  make sure the time is correct on both client and server.

    Perhaps try with a Windows export just to see if it my be a Viscosity prob?

    No other good suggestions other than try to build OpenVPN clean from scratch?


  • Rebel Alliance Global Moderator

    why does it say user cert on that - are you trying to use the server cert as your user cert as well?  You have to create a specific user cert, you can not use the same server cert for your user.  See my example where I have a johnpoz cert as the user cert.