Cannot create new openvpn servers that work

tkb

On a pfsense box (PC based) I've used since 2011, I now cannot create a new openvpn account that works.

This is what's logged at the client PC (Win7):

Mon Sep 14 08:33:32 2015 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=US, ST=ST, L=L, O=Org, emailAddress=email@example.com, CN=testvpn
Mon Sep 14 08:33:32 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Sep 14 08:33:32 2015 TLS Error: TLS object -> incoming plaintext read error
Mon Sep 14 08:33:32 2015 TLS Error: TLS handshake failed
Mon Sep 14 08:33:32 2015 SIGUSR1[soft,tls-error] received, process restarting

The old accounts still work fine. I've tested the client on a PC that has a working openvpn account. Using the same CA as the old accounts,  SSL/TLS + User Auth.

Currently on pfsense 2.2.4. The last working account I made was in July on pfsense = 2.2.2.

Updated the openvpn export utility to the latest version - no change.
Tried using a new CA - no change.
Tried dropping the win client version back to 2.3.6 - no change.

What's going on? Should I try to drop the pfsense box back to the last version that worked for me - 2.2.2?

viragomann

As I had a similar issue after updating pfSense to 2.2.3, I got it work by updating the OpenVPN software on Windows client from https://openvpn.net/index.php/open-source/downloads.html

However, I'am not sure if I had this error massage: "error=unsupported certificate purpose"
This basically tell you that the certificate which is used for testvpn has the wrong type. Is it a user cert?

johnpoz

" error=unsupported certificate purpose:"

Man have been seeing this a LOT lately..

Your creating a user cert and trying to use it as server most likely, or you have a server cert and trying to use it as user..

Validate what certs your using.. If you create new certs in the wizard you can not screw it up.. But if you just go to the cert manager you can.

tkb

First off, I dropped back to 2.2.2 + previous config (painless) and can now make new openvn accounts. Well, new accounts the way I've been doing it - read on.

In my certificate lineup, they are all

User Cert
  OpenVPN Server

and I have no distict Server certs. So, they're combined. Apparently 2.2.4 doesn't like that.

So I went through a setup with a distinct server cert - I see how it's done.

Thanks - I think you've pointed out my problem. I'll try the update to 2.2.4 again in a day or two.

cmb

@tkb:

In my certificate lineup, they are all

User Cert
  OpenVPN Server

and I have no distict Server certs. So, they're combined.

They're not combined. OpenVPN Server is not a cert attribute, it's just where it's in use. What johnpoz is referring to, and what matters, is the left column he highlighted in one of the screenshots.