Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cannot create new openvpn servers that work

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      tkb
      last edited by

      On a pfsense box (PC based) I've used since 2011, I now cannot create a new openvpn account that works.

      This is what's logged at the client PC (Win7):

      Mon Sep 14 08:33:32 2015 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=US, ST=ST, L=L, O=Org, emailAddress=email@example.com, CN=testvpn
      Mon Sep 14 08:33:32 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
      Mon Sep 14 08:33:32 2015 TLS Error: TLS object -> incoming plaintext read error
      Mon Sep 14 08:33:32 2015 TLS Error: TLS handshake failed
      Mon Sep 14 08:33:32 2015 SIGUSR1[soft,tls-error] received, process restarting

      The old accounts still work fine. I've tested the client on a PC that has a working openvpn account. Using the same CA as the old accounts,  SSL/TLS + User Auth.

      Currently on pfsense 2.2.4. The last working account I made was in July on pfsense = 2.2.2.

      Updated the openvpn export utility to the latest version - no change.
      Tried using a new CA - no change.
      Tried dropping the win client version back to 2.3.6 - no change.

      What's going on? Should I try to drop the pfsense box back to the last version that worked for me - 2.2.2?

      1 Reply Last reply Reply Quote 0
      • V Offline
        viragomann
        last edited by

        As I had a similar issue after updating pfSense to 2.2.3, I got it work by updating the OpenVPN software on Windows client from https://openvpn.net/index.php/open-source/downloads.html

        However, I'am not sure if I had this error massage: "error=unsupported certificate purpose"
        This basically tell you that the certificate which is used for testvpn has the wrong type. Is it a user cert?

        1 Reply Last reply Reply Quote 0
        • johnpozJ Online
          johnpoz LAYER 8 Global Moderator
          last edited by

          " error=unsupported certificate purpose:"

          Man have been seeing this a LOT lately..

          Your creating a user cert and trying to use it as server most likely, or you have a server cert and trying to use it as user..

          Validate what certs your using.. If you create new certs in the wizard you can not screw it up.. But if you just go to the cert manager you can.

          openvpncerts.png
          openvpncerts.png_thumb

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07 | Lab VMs 2.8, 25.07

          1 Reply Last reply Reply Quote 0
          • T Offline
            tkb
            last edited by

            First off, I dropped back to 2.2.2 + previous config (painless) and can now make new openvn accounts. Well, new accounts the way I've been doing it - read on.

            In my certificate lineup, they are all

            User Cert
              OpenVPN Server

            and I have no distict Server certs. So, they're combined. Apparently 2.2.4 doesn't like that.

            So I went through a setup with a distinct server cert - I see how it's done.

            Thanks - I think you've pointed out my problem. I'll try the update to 2.2.4 again in a day or two.

            1 Reply Last reply Reply Quote 0
            • C Offline
              cmb
              last edited by

              @tkb:

              In my certificate lineup, they are all

              User Cert
                OpenVPN Server

              and I have no distict Server certs. So, they're combined.

              They're not combined. OpenVPN Server is not a cert attribute, it's just where it's in use. What johnpoz is referring to, and what matters, is the left column he highlighted in one of the screenshots.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.