Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Re: TLS Error: TLS key negotiation failed to occur within 60 seconds

    Scheduled Pinned Locked Moved OpenVPN
    5 Posts 5 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      Ami
      last edited by

      Hi All,

      I'm having same issue. Clean install of pfsense 2.2.5 and I used wizard to create open vpn server and cert.

      open vpn client side error:

      Sat Nov 28 18:23:03 2015 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=US, ST=Missouri, L=Saint Louis, O=AEM Business Solutions, emailAddress=myemail@mydomain.com, CN=almirm
      Sat Nov 28 18:23:03 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
      Sat Nov 28 18:23:03 2015 TLS Error: TLS object -> incoming plaintext read error
      Sat Nov 28 18:23:03 2015 TLS Error: TLS handshake failed
      Sat Nov 28 18:23:03 2015 SIGUSR1[soft,tls-error] received, process restarting
      Sat Nov 28 18:23:05 2015 UDPv4 link local (bound): [undef]
      Sat Nov 28 18:23:05 2015 UDPv4 link remote: [AF_INET]my.public.wan.ip.addr:1194
      Sat Nov 28 18:23:05 2015 SIGTERM[hard,] received, process exiting

      OpenVpn client side config file:

      dev tun
      persist-tun
      persist-key
      cipher AES-256-CBC
      auth SHA1
      tls-client
      client
      resolv-retry infinite
      remote public.ip.addr 1194 udp
      lport 0
      verify-x509-name "almirm" name
      auth-user-pass
      pkcs12 pfs-fw2-udp-1194-almirm.p12
      tls-auth pfs-fw2-udp-1194-almirm-tls.key 1

      I see here i don't have user and server .cert but that should come included in client export openvpn client software ?

      see attached screenshots of my openvpn server and certs.

      Please let me know if you require more info.

      Thanks in advance.

      ![openvpn certs.PNG](/public/imported_attachments/1/openvpn certs.PNG)
      ![openvpn certs.PNG_thumb](/public/imported_attachments/1/openvpn certs.PNG_thumb)
      ![openvpn conf files.PNG](/public/imported_attachments/1/openvpn conf files.PNG)
      ![openvpn conf files.PNG_thumb](/public/imported_attachments/1/openvpn conf files.PNG_thumb)
      ![openvpn user settings.PNG](/public/imported_attachments/1/openvpn user settings.PNG)
      ![openvpn user settings.PNG_thumb](/public/imported_attachments/1/openvpn user settings.PNG_thumb)
      ![pfsence opnevpn capture.png](/public/imported_attachments/1/pfsence opnevpn capture.png)
      ![pfsence opnevpn capture.png_thumb](/public/imported_attachments/1/pfsence opnevpn capture.png_thumb)

      1 Reply Last reply Reply Quote 0
      • johnpozJ Online
        johnpoz LAYER 8 Global Moderator
        last edited by

        Not the same error at all, and how did you mess up the wizard that ASKS you to create a server cert.. Yet your trying to use a USER cert for the server..

        "ead tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07 | Lab VMs 2.8, 25.07

        1 Reply Last reply Reply Quote 0
        • P Offline
          pajo99
          last edited by

          try to remove checkbox from Block Private Networks in WAN inerface and see if it works

          1 Reply Last reply Reply Quote 0
          • DerelictD Offline
            Derelict LAYER 8 Netgate
            last edited by

            @pajo99:

            try to remove checkbox from Block Private Networks in WAN inerface and see if it works

            What?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • D Offline
              divsys
              last edited by

              Quote from: pajo99 on 2015-12-02, 01:47:48

              try to remove checkbox from Block Private Networks in WAN inerface and see if it works

              What?

              Exactly, Block Private Networks has nothing to do with this issue, as johnpoz already pointed out, the OP is incorrectly trying to use a USER Certificate for an OpenVPN SERVER.

              -jfp

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.