[SOLVED] vpn client failing to validate server certificate

digininja

I had a perfectly working setup with pfSense acting as an OpenVPN client to my VPN server then my intermediate certificate expired and I've had to reissue certificates. With the new certificates in place I'm now getting this error:

Mar 24 19:48:15 firewall openvpn[96070]: VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=GB, ST=The Internet, O=Digininja, CN=Digininja Int CA, emailAddress=a@b.com
Mar 24 19:48:15 firewall openvpn[96070]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mar 24 19:48:15 firewall openvpn[96070]: TLS Error: TLS object -> incoming plaintext read error
Mar 24 19:48:15 firewall openvpn[96070]: TLS Error: TLS handshake failed
Mar 24 19:48:15 firewall openvpn[96070]: SIGUSR1[soft,tls-error] received, process restarting
Mar 24 19:48:17 firewall openvpn[96070]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mar 24 19:48:17 firewall openvpn[96070]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mar 24 19:48:17 firewall openvpn[96070]: UDPv4 link local (bound): [AF_INET]1.2.3.4
Mar 24 19:48:17 firewall openvpn[96070]: UDPv4 link remote: [AF_INET]2.3.4.5:1194

Which I think means that OpenVPN is rejecting the server side certificate because it doesn't trust it. I'm imported both the CA and the intermediate CA certs into the certificate manager and they are recognised as the CA is showing one associated certificate (the intermediate) and the intermediate showing two certs (my HTTPS cert and the VPN1). All I did when changing the certificates was to upload the new one and change the one the VPN config was using, I didn't make any other changes.

Reading the config file from /var/etc/openvpn I copied the certificate and key files it references to a Linux box and tried OpenVPN from there with those files, it fails as well. The file client1.ca which I copy across contains a copy of my intermediate cert, if I merge into that my CA cert then the OpenVPN starts fine on the Linux box so I think what I need to do is to tell OpenVPN on pfSense to use a chained ca file rather than just the intermediate file.

All that is a long winded way of saying I've probably made a stupid mistake somewhere when I changed the certificates but I can't work out what I've done. I know the certificates are OK as ones generated purely for use on the Linux box work fine and the ones for pfSense work fine with the chained ca file. Please, put me out of my half day misery and tell me what I'm likely to have done wrong so I can fix it and get back to everything working.

thomasr

maybe you have hit this bug

digininja

It sounds similar but in my situation pfSense is the client side not the server side.

I've tried putting the chained certificate in client1.ca and restarting the service but that didn't help.

divsys

Simple suggestion but, have you tried rebooting both ends of the conx?

I've run into issues in the past where I was fiddling with certificates, try to get a setup to work, and a restart of the OpenVPN service didn't load my changes.
I turned up the log verbosity and started tracking run Pid's till I saw the issue. Caused me no end of heartbreak until I rebooted the server and it all came up.

Might be worth a try….

digininja

I've been rebooting on and off but not between every config change. I've made sure that the service has been stopped and restarted after each change.

digininja

I finally got it working by manually editing the client1.conf file and slowly moving entries from the working Linux config file to the broken pfSense one. I also made sure both CA and intermediate certs were in client1.ca. To test things I removed the daemon line from the config so that I could start openvpn from the command line and watch the output rather than have to keep going through the GUI.

I'm sure this is a bad way to do it and I now daren't touch the OpenVPN section of the web interface but I'm up and running again and as I put two years on the intermediate CA I should be fine for a while.

Just in case it can help anyone else, here is the config file I ended up with:

dev ovpnc1
verb 1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 10.1.2.3
tls-client
client
lport 0
management /var/etc/openvpn/client1.sock unix
remote vpn1.xxx 1194
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
resolv-retry infinite
ns-cert-type server
comp-lzo

cmb

That's going to be blown away at some point, you can't manually edit any configs. Make sure your chain is in there for the configured CA cert and you'll be fine.

digininja

I understand that it will get blown away and that manually editing it was the wrong thing to do but I was missing something in the GUI that meant I couldn't get it to work. This, and software upgrades are the only changes I've made in the last year and as I've now got a copy of the working files, after the next upgrade, if things do break, I can put them back.

I tried putting a chained cert in the CA cert and it didn't work, does the order of the certificates in the file matter? It may also be that the restart didn't work correctly or it needed a reboot after the change to make things work.

I'm not blaming pfSense here, I'm sure it was probably something I messed up in replacing the certificate. If I get chance I'll try again with a chained cert as the CA and update with the results.