[Solved] Openvpn TLS Error
-
Hi all,
I'm getting this error on server-side on an pfsense-system (2.2.6-release):
Feb 9 17:25:15 openvpn[56632]: 91.141.3.170:3568 SIGUSR1[soft,tls-error] received, client-instance restarting Feb 9 17:25:15 openvpn[56632]: 91.141.3.170:3568 TLS Error: TLS handshake failed Feb 9 17:25:15 openvpn[56632]: 91.141.3.170:3568 TLS Error: TLS object -> incoming plaintext read error Feb 9 17:25:15 openvpn[56632]: 91.141.3.170:3568 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Feb 9 17:25:15 openvpn[56632]: 91.141.3.170:3568 VERIFY SCRIPT ERROR: depth=1, C=AT, ST=Kaernten, L=Klagenfurt, O=wuapaa, emailAddress=technik@wuapaa.com, CN=VPN Wuapaa Feb 9 17:25:15 openvpn[56632]: 91.141.3.170:3568 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1 Feb 9 17:25:15 openvpn: Found certificate with depth 1 Feb 9 17:25:15 openvpn[56632]: 91.141.3.170:3568 UDPv4 READ [1148] from [AF_INET]91.141.3.170:3568: P_CONTROL_V1 kid=0 pid=[ #45 ] [ ] pid=4 DATA len=1094I already set the Certificate Depth in Server-Configuration to "Two" as mentioned somewhere in the forum, but that didn't solve the problem. Also, if I disable the Client-Check the vpn-tunnel is established.
Certificates were generated by the wizard, so I don't think the problem lies here.
Does anybody have a hint on this? For me it looks like the verification-script isn't properly working, maybe some file-permission or encoding issues ?
-
Hi,
don't use spaces or special characters in CN (VPN Wuapaa).
Best solution will be to change the user name and assign a new cert.
-
Hi,
changed both CA Name and username, problem still occurs.
With Cert-check:
Feb 9 22:47:40 openvpn[38333]: 178.190.212.71:43465 SIGUSR1[soft,tls-error] received, client-instance restarting Feb 9 22:47:40 openvpn[38333]: 178.190.212.71:43465 TLS Error: TLS handshake failed Feb 9 22:47:40 openvpn[38333]: 178.190.212.71:43465 TLS Error: TLS object -> incoming plaintext read error Feb 9 22:47:40 openvpn[38333]: 178.190.212.71:43465 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned Feb 9 22:47:40 openvpn[38333]: 178.190.212.71:43465 VERIFY SCRIPT ERROR: depth=1, C=AT, ST=Kaernten, L=Klagenfurt, O=wuapaa, emailAddress=technik@wuapaa.com, CN=VPNWuapaa Feb 9 22:47:40 openvpn[38333]: 178.190.212.71:43465 WARNING: Failed running command (--tls-verify script): external program exited with error status: 1Without Check:
Feb 9 22:51:43 openvpn[43025]: 178.190.212.71:39903 UDPv4 WRITE [166] to [AF_INET]178.190.212.71:39903: P_CONTROL_V1 kid=0 pid=[ #45 ] [ 5 ] pid=42 DATA len=100 Feb 9 22:51:43 openvpn[43025]: 178.190.212.71:39903 TLS Auth Error: Auth Username/Password verification failed for peer Feb 9 22:51:43 openvpn[43025]: 178.190.212.71:39903 WARNING: Failed running command (--auth-user-pass-verify): external program exited with error status: 1 Feb 9 22:51:43 openvpn[43025]: 178.190.212.71:39903 UDPv4 READ [538] from [AF_INET]178.190.212.71:39903: P_CONTROL_V1 kid=0 pid=[ #46 ] [ 41 ] pid=5 DATA len=472 Feb 9 22:51:43 openvpn[43025]: 178.190.212.71:39903 UDPv4 WRITE [117] to [AF_INET]178.190.212.71:39903: P_CONTROL_V1 kid=0 pid=[ #44 ] [ 4 ] pid=41 DATA len=51 Feb 9 22:51:43 openvpn[43025]: 178.190.212.71:39903 VERIFY OK: depth=0, C=AT, ST=Kaernten, L=Klagenfurt, O=wuapaa, emailAddress=technik@wuapaa.com, CN=awilm Feb 9 22:51:43 openvpn[43025]: 178.190.212.71:39903 VERIFY OK: depth=1, C=AT, ST=Kaernten, L=Klagenfurt, O=wuapaa, emailAddress=technik@wuapaa.com, CN=VPNWuapaa Feb 9 22:51:43 openvpn[43025]: 178.190.212.71:39903 UDPv4 READ [782] from [AF_INET]178.190.212.71:39903: P_CONTROL_V1 kid=0 pid=[ #45 ] [ ] pid=4 DATA len=728(The error in user-authentication is another error, but imho not related to the problem)
-
Shouldn't be an issue to have a space in the CN, unless you're doing strict CN matching (where the username couldn't contain a space).
Judging by those logs, it seems like your OpenVPN server is using a different CA than your clients, or there is some other issue with your certificates along those lines.
-
I checked the config for the server, the correct CA is selected. The Certs under /var/etc/openvpn/ are looking good (imho):
with openssl x509 -in server1.ca -text -noout:
Certificate: Data: Version: 3 (0x2) Serial Number: 0 (0x0) Signature Algorithm: sha256WithRSAEncryption Issuer: C=AT, ST=Kaernten, L=Klagenfurt, O=wuapaa/emailAddress=technik@wuapaa.com, CN=VPNWuapaa Validity Not Before: Feb 9 21:14:18 2016 GMT Not After : Feb 6 21:14:18 2026 GMT Subject: C=AT, ST=Kaernten, L=Klagenfurt, O=wuapaa/emailAddress=technik@wuapaa.com, CN=VPNWuapaa Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:cb:cd:73:ba:de:4a:ef:79:db:b4:25:1c:de:1a: e4:d1:e7:8a:d1:8e:ff:28:ec:2e:f3:16:c0:b8:15: 71:02:df:3f:02:62:d0:d4:1c:e3:47:67:f2:91:e1: cf:1c:31:a0:c4:15:ad:f3:dc:35:7f:50:d0:2b:30: f4:63:ac:2a:37:a5:72:bc:1e:24:7e:6c:62:e2:f8: 45:2f:d7:fa:cf:bf:5c:97:73:98:be:14:8e:a4:df: 5d:d0:d4:03:52:35:67:d2:f5:58:f9:c3:a8:82:97: 03:6d:f6:5d:a8:67:c1:e2:87:fd:aa:78:4b:1b:0b: 12:70:b3:e2:21:95:8a:bb:68:ca:dc:0a:6a:89:79: be:83:b5:f7:1c:25:75:0d:d7:28:5d:0d:34:22:46: 1f:f2:37:a3:4e:a6:0e:d9:54:ff:5a:fb:c0:ab:a3: 35:d0:7e:a4:4e:3a:aa:ba:66:6c:1c:90:f9:42:56: 2e:79:c6:b9:45:6e:37:11:6c:6d:e7:73:b6:8b:2b: 5d:28:7e:d1:49:d5:57:cc:b5:06:cc:cc:b0:c2:46: 3c:52:b0:06:9c:fa:21:77:84:f5:04:18:9c:4e:f9: 89:6a:59:4c:f4:6d:a4:c0:8e:3a:c3:43:07:44:ff: 26:49:5e:13:d7:56:4c:70:e7:45:29:a7:25:b0:3c: cb:9d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Key Identifier: F2:EC:2B:FF:E4:C3:38:2F:76:D5:45:4A:A3:59:1D:A5:49:77:1D:FA X509v3 Authority Key Identifier: keyid:F2:EC:2B:FF:E4:C3:38:2F:76:D5:45:4A:A3:59:1D:A5:49:77:1D:FA DirName:/C=AT/ST=Kaernten/L=Klagenfurt/O=wuapaa/emailAddress=technik@wuapaa.com/CN=VPNWuapaa serial:00 X509v3 Basic Constraints: CA:TRUE X509v3 Key Usage: Certificate Sign, CRL Sign Signature Algorithm: sha256WithRSAEncryption 7a:03:5a:5d:be:eb:de:55:e7:4f:65:be:79:b3:b8:49:f3:92: 57:8a:12:9a:f2:68:34:cf:4a:4f:66:2f:3e:b9:03:b3:e2:8d: 0f:9c:98:29:f0:e1:9a:7d:bc:8b:6e:b4:b3:ec:47:c8:a0:10: 0a:a4:4d:ff:42:2a:54:27:38:90:34:5a:f8:b7:5e:a0:0c:28: 0b:08:99:0d:f0:76:9e:64:f1:28:94:8d:2d:b1:7f:d4:14:83: 2c:d1:10:b6:22:b4:6b:73:4c:5a:e5:b2:cf:ca:1d:2e:61:b7: 0d:f1:2f:c3:89:4b:71:f7:13:1c:bf:7f:6a:2d:41:36:5c:2e: 78:e4:8b:55:2f:f6:70:a0:22:3a:11:84:6f:f8:25:28:81:5f: a6:86:2a:04:7b:6a:0e:5a:b4:ea:90:39:4e:f7:fb:8f:00:9b: 86:a2:02:26:f3:04:9a:2f:ba:68:c3:32:aa:cb:f0:6e:1b:e3: 8b:a0:75:5e:00:da:36:b3:22:f5:68:4f:6d:a1:de:3c:2b:2c: e0:6b:1d:5f:3d:cd:d5:38:b2:11:20:54:73:69:95:8d:5f:9a: 2e:8b:a6:be:30:e5:e4:a5:c1:c4:e6:70:2c:51:b5:37:ad:51: e0:e6:22:b8:78:78:1c:11:ee:b4:7a:19:48:44:93:0c:1e:82: d4:51:30:8aand openssl x509 -in server1.cert -text -noout:
Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: C=AT, ST=Kaernten, L=Klagenfurt, O=wuapaa/emailAddress=technik@wuapaa.com, CN=VPNWuapaa Validity Not Before: Feb 9 21:14:20 2016 GMT Not After : Feb 6 21:14:20 2026 GMT Subject: C=AT, ST=Kaernten, L=Klagenfurt, O=wuapaa/emailAddress=technik@wuapaa.com, CN=VPNpfsense Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:9c:05:12:c7:a8:d2:1b:01:46:59:e0:aa:24:03: 6d:d5:59:c5:db:4f:39:2a:21:7c:68:34:dc:ed:ec: e4:d5:90:a9:0b:d0:ab:ee:83:02:f7:64:b5:c9:eb: 21:12:60:7d:87:ab:4b:33:72:5f:b1:08:3c:92:32: 07:68:45:b5:42:17:42:76:94:8d:12:2c:ca:63:9e: 60:0a:c3:a3:20:99:43:c3:2a:51:1f:5a:be:89:15: c6:4e:76:b3:7f:c9:12:1d:58:22:0e:b8:d4:04:12: cc:b4:5b:4f:e5:d2:ac:a0:1a:0a:78:d5:a5:43:96: ba:76:d5:2e:ef:7d:2b:df:41:ee:40:a8:a2:19:41: 8c:51:c0:a4:f1:cc:3e:d4:25:68:86:9d:0d:e3:2c: 09:5f:0f:02:7d:33:b0:44:33:da:03:98:be:ae:36: 18:f3:1a:e1:80:b4:51:bd:fa:5a:e3:98:45:48:a7: 90:90:81:12:96:fc:ae:ba:8b:e3:97:af:70:0b:b6: f9:14:e6:26:fb:3c:bc:8b:fe:b2:ee:6d:fc:73:2b: 0f:23:d1:7c:fe:ca:ef:db:18:1f:71:42:3f:e0:a3: c2:69:68:0f:b1:eb:e8:74:3b:92:4e:8a:58:87:0f: aa:c2:c4:46:b0:21:4f:9c:81:c9:49:d6:69:5d:0d: de:62:1e:1d:14:7c:ae:94:3f:2f:47:da:3c:8b:a3: 29:a9:26:51:60:7f:0e:d6:e7:d9:a0:ab:b9:cc:ed: 86:a8:e2:c9:ae:13:6c:46:ee:5e:8f:81:4e:87:6a: 8a:f6:2e:54:dc:2d:a2:96:38:11:eb:c2:c1:e1:b8: f5:82:cc:06:89:71:fe:d0:7c:9d:fd:a3:60:18:36: 8e:c5:23:92:c9:91:3d:81:f9:08:bb:86:7c:1a:d0: c5:7d:60:31:29:66:6d:73:6a:c6:e9:16:18:e7:3b: d9:fc:3e:d1:bf:af:04:cc:f0:1b:ae:12:9c:5d:24: cf:bf:e3:1f:71:aa:47:f2:e9:cb:59:c7:0c:31:dd: 14:3a:5b:d5:cd:31:7e:0f:e7:10:46:83:87:4d:b2: ac:8a:86:71:2a:59:c5:d6:43:ea:9d:a9:20:ac:b7: 7a:ba:44:c4:78:16:08:52:48:f6:8d:2c:ee:3d:74: 68:d6:80:7b:2a:42:55:4d:6c:30:22:d1:15:71:9e: 81:90:ee:8d:b1:1e:01:60:a7:2f:54:f9:4f:f6:03: 32:0a:b1:20:59:45:0c:c7:a8:cf:47:e2:6d:67:d6: 50:12:4b:bb:96:cb:65:fd:e2:1c:05:1f:36:84:06: b9:c6:16:40:2c:b9:bf:f3:2c:11:f7:4b:10:65:cd: f8:d3:cf Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Subject Key Identifier: 45:31:F5:B6:8D:78:83:7E:6B:BF:D5:89:C8:6F:4D:B6:54:D7:30:61 X509v3 Authority Key Identifier: keyid:F2:EC:2B:FF:E4:C3:38:2F:76:D5:45:4A:A3:59:1D:A5:49:77:1D:FA DirName:/C=AT/ST=Kaernten/L=Klagenfurt/O=wuapaa/emailAddress=technik@wuapaa.com/CN=VPNWuapaa serial:00 X509v3 Extended Key Usage: TLS Web Server Authentication, 1.3.6.1.5.5.8.2.2 X509v3 Key Usage: Digital Signature, Key Encipherment Signature Algorithm: sha256WithRSAEncryption 58:c4:e5:5d:a9:a6:14:98:1b:49:41:7c:81:58:22:03:62:f1: f7:f3:b1:59:ac:cf:0e:86:26:b3:d8:83:5c:82:28:92:d7:2c: 65:c6:b4:39:bd:5f:3e:6d:f5:eb:a8:7b:64:6d:02:90:32:ee: 39:26:94:7e:cf:ce:98:13:72:c0:9b:14:f6:01:73:a5:82:86: c8:25:d2:26:49:4f:29:17:2d:d3:41:30:9e:95:11:6c:b3:0d: 33:07:2a:00:4d:b6:9f:2b:aa:3f:0a:44:5c:8b:50:1e:33:6b: cf:88:d8:e1:a4:9e:1b:eb:89:e3:52:2a:be:aa:e3:42:b4:82: 4c:bd:11:f2:28:4e:08:bf:34:e5:67:3a:80:6b:65:ca:64:3d: 7a:89:74:0e:11:b2:5d:3f:d9:24:aa:1b:7b:77:22:b4:ba:31: a9:11:60:b2:78:7e:bc:c7:d1:22:93:46:b6:f9:22:50:af:16: f7:13:ee:43:4e:33:12:91:3b:35:91:00:91:fe:bc:d0:5f:f7: 84:01:73:ea:73:1e:f1:ac:d3:72:82:73:4f:f7:61:3e:7a:19: 3e:be:64:7a:ad:7b:55:4d:75:b3:45:ad:67:45:80:51:80:8d: f0:b6:87:cd:57:fa:1f:4d:71:c7:5b:ac:97:dc:f9:11:86:15: 02:ec:bd:27Are the user-certs saved anywhere on the pfsense-box?
-
Are the user-certs saved anywhere on the pfsense-box?
Can't answer for sure (I think they reside in config.xml), but I usually resort to using "System->Cert Manager->Certificates" and just download the certificate I want to check.
-
Just for the records: after rebooting the box the VPN works now.
Thanks all for their help!
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.