Cannot create new openvpn servers that work



  • On a pfsense box (PC based) I've used since 2011, I now cannot create a new openvpn account that works.

    This is what's logged at the client PC (Win7):

    Mon Sep 14 08:33:32 2015 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=US, ST=ST, L=L, O=Org, emailAddress=email@example.com, CN=testvpn
    Mon Sep 14 08:33:32 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Mon Sep 14 08:33:32 2015 TLS Error: TLS object -> incoming plaintext read error
    Mon Sep 14 08:33:32 2015 TLS Error: TLS handshake failed
    Mon Sep 14 08:33:32 2015 SIGUSR1[soft,tls-error] received, process restarting

    The old accounts still work fine. I've tested the client on a PC that has a working openvpn account. Using the same CA as the old accounts,  SSL/TLS + User Auth.

    Currently on pfsense 2.2.4. The last working account I made was in July on pfsense = 2.2.2.

    Updated the openvpn export utility to the latest version - no change.
    Tried using a new CA - no change.
    Tried dropping the win client version back to 2.3.6 - no change.

    What's going on? Should I try to drop the pfsense box back to the last version that worked for me - 2.2.2?



  • As I had a similar issue after updating pfSense to 2.2.3, I got it work by updating the OpenVPN software on Windows client from https://openvpn.net/index.php/open-source/downloads.html

    However, I'am not sure if I had this error massage: "error=unsupported certificate purpose"
    This basically tell you that the certificate which is used for testvpn has the wrong type. Is it a user cert?


  • Rebel Alliance Global Moderator

    " error=unsupported certificate purpose:"

    Man have been seeing this a LOT lately..

    Your creating a user cert and trying to use it as server most likely, or you have a server cert and trying to use it as user..

    Validate what certs your using.. If you create new certs in the wizard you can not screw it up.. But if you just go to the cert manager you can.




  • First off, I dropped back to 2.2.2 + previous config (painless) and can now make new openvn accounts. Well, new accounts the way I've been doing it - read on.

    In my certificate lineup, they are all

    User Cert
      OpenVPN Server

    and I have no distict Server certs. So, they're combined. Apparently 2.2.4 doesn't like that.

    So I went through a setup with a distinct server cert - I see how it's done.

    Thanks - I think you've pointed out my problem. I'll try the update to 2.2.4 again in a day or two.



  • @tkb:

    In my certificate lineup, they are all

    User Cert
      OpenVPN Server

    and I have no distict Server certs. So, they're combined.

    They're not combined. OpenVPN Server is not a cert attribute, it's just where it's in use. What johnpoz is referring to, and what matters, is the left column he highlighted in one of the screenshots.