Open VPN handshake fail



  • hi guys
    i've created a new openvpn using authontication domain controller radius. using this link
    https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory

    however the connection is not working getting handshake failled, please find the below error.

    the error i am getting is :

    Fri Nov 13 09:55:33 2015 UDPv4 link local (bound): [undef]
    Fri Nov 13 09:55:33 2015 UDPv4 link remote: [AF_INET]test.domain.com:1194
    Fri Nov 13 09:55:33 2015 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=NL, ST=Noord Brabant, L=heaven, O=centos, emailAddress=info@domain.nl, CN=ca.centos.nl
    Fri Nov 13 09:55:33 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Fri Nov 13 09:55:33 2015 TLS Error: TLS object -> incoming plaintext read error
    Fri Nov 13 09:55:33 2015 TLS Error: TLS handshake failed
    Fri Nov 13 09:55:33 2015 SIGUSR1[soft,tls-error] received, process restarting
    Fri Nov 13 09:55:35 2015 UDPv4 link local (bound): [undef]
    Fri Nov 13 09:55:35 2015 UDPv4 link remote: [AF_INET]test.domain.com:1194
    Fri Nov 13 09:55:35 2015 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=NL, ST=Noord Brabant, L=heaven, O=centos, emailAddress=info@domain.nl, CN=ca.centos.nl
    Fri Nov 13 09:55:35 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Fri Nov 13 09:55:35 2015 TLS Error: TLS object -> incoming plaintext read error
    Fri Nov 13 09:55:35 2015 TLS Error: TLS handshake failed
    Fri Nov 13 09:55:35 2015 SIGUSR1[soft,tls-error] received, process restarting
    Fri Nov 13 09:55:37 2015 UDPv4 link local (bound): [undef]
    Fri Nov 13 09:55:37 2015 UDPv4 link remote: [AF_INET]test.domain.com:1194



  • It says error=unsupported certificate purpose:
    How did you generate your certificates?



  • @thermo:

    It says error=unsupported certificate purpose:
    How did you generate your certificates?

    thank you for your answer,
    i've generated the certificate exactly as showen here

    https://doc.pfsense.org/index.php/OpenVPN_with_RADIUS_via_Active_Directory

    the same way worked on 2.2.4 but i am on 2.2.5
    is this a bug on the 2.2.5 ?

    i managed to fix it ,

    need to create server certificate. not user certificate.
    thank you



  • Hi Jamerson,

    I'm having same issue. Could you please post steps on how and where did you create this certificate at.

    Thank you,


  • LAYER 8 Global Moderator

    The wizard is pretty much IDIOT proof, yet seems like every other day we have someone trying to use a user cert for the server…



Log in to reply