• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Pfsense 2.3: TLS handshake failed/ Failed running command (–tls-verify script)

Scheduled Pinned Locked Moved OpenVPN
12 Posts 6 Posters 6.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B
    bennyc
    last edited by Apr 14, 2016, 7:23 PM

    That looks very similar to what I have encountered a while ago, see: https://forum.pfsense.org/index.php?topic=97572.msg543520

    My issue was caused by a space in the certificate's CN. Any chance yours has one too? If not, I would anyway give it a try with recreating the server cert…

    4x XG-7100 (2xHA), 1x SG-4860, 1x SG-2100
    1x PC Engines APU2C4, 1x PC Engines APU1C4

    1 Reply Last reply Reply Quote 0
    • P
      pfff
      last edited by Apr 15, 2016, 3:07 PM

      Hi bennyc, thank you for the suggestion! I tried deleting and then recreating all the certs (CA, server, user) without any spaces or other punctuation marks but with the same errors unfortunately. I haven't been able to do any further testing since I posted because of work but will continue trying.

      1 Reply Last reply Reply Quote 0
      • E
        emel_punk
        last edited by Apr 15, 2016, 9:30 PM

        So how is thing going?. I have installed Pfsense 2.2.6 and openvpn doesn't work, I cannot connect my clients. The error is

        
        Fri Apr 15 16:27:55 2016 us=478668 ACK mark active incoming ID 24
        Fri Apr 15 16:27:55 2016 us=478686 ACK acknowledge ID 24 (ack->len=1)
        Fri Apr 15 16:27:55 2016 us=478707 BIO write tls_write_ciphertext 100 bytes
        Fri Apr 15 16:27:55 2016 us=479154 VERIFY ERROR: depth=1, error=certificate is not yet valid: C=CA, ST=bogota, L=bogota, O=mdc, emailAddress=info@mdc.com.co, CN=internal-ca
        Fri Apr 15 16:27:55 2016 us=479201 SSL alert (write): fatal: bad certificate
        Fri Apr 15 16:27:55 2016 us=479300 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
        Fri Apr 15 16:27:55 2016 us=479334 TLS Error: TLS object -> incoming plaintext read error
        Fri Apr 15 16:27:55 2016 us=479369 TLS Error: TLS handshake failed
        Fri Apr 15 16:27:55 2016 us=479411 PID packet_id_free
        Fri Apr 15 16:27:55 2016 us=479448 SSL alert (write): warning: close notify
        
        

        I do not have firewall problems or anything, I repeated the process a lot and I am stuck at it. Please help

        1 Reply Last reply Reply Quote 0
        • P
          pfff
          last edited by Apr 16, 2016, 9:47 AM

          FYI I just reinstalled 2.3 and now it works as expected and as on 2.2.6. Something must have failed during the upgrade. Thank you for your help.

          1 Reply Last reply Reply Quote 0
          • V
            v0lZy
            last edited by Dec 28, 2017, 12:25 PM

            Some necromancy seems to have brought this back from the depths of hell and is now pulling at my leg…

            Have a fresh pfSense install (2.4.2-RELEASE-p1 (amd64)) and I am encountering an issue with a self-signed setup. Here is what I'm seeing:

            1 - Created my own CA, created a CRL for said CA, created a server certificate issued by said CA, created a user certificate issued by said CA when creating my user.
            2 - Configured an OpenVPN server and set it to "Remote Access ( SSL/TLS + User Auth )", used said CA, CRL and server certificate.
            3 - Used 'OpenVPN Client Export' and grabbed the Archive for said user.
            4 - When connecting the VPN and after providing username and password, on pfSense I see:

            WARNING: Failed running command (--tls-verify script): external program exited with error status: 1
                  OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
                  TLS_ERROR: BIO read tls_read_plaintext error
                  TLS Error: TLS object -> incoming plaintext read error
                  TLS Error: TLS handshake failed

            On the client side, I see timeouts and the VPN fails to establish.

            After hours of fighting with this issue I found this thread; I noted that my "Certificate Depth" was set to 'One (Client + Server)' and I was getting the above errors. I then changed "Certificate Depth" to "Do not check" and my issue went away.

            On older pfSense installations, I never had any problems with "Certificate Depth" set to "One (Client + Server)" so I assume this is some kind of a regression?

            Can anyone suggest how to keep "Certificate Detph" at "One (Client + Server)" and not have --tls-verify script fail?

            Best regards
            V

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by Dec 28, 2017, 2:35 PM

              I have always run one for depth (client+server) and never had such issues.  I double checked my setting and yup running client+server with no connection issues.  Running 2.4.2_p1

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • V
                v0lZy
                last edited by Dec 29, 2017, 9:21 AM

                Is your installation fresh or a setup that was carried over?

                Best regards,
                V

                1 Reply Last reply Reply Quote 0
                • J
                  johnpoz LAYER 8 Global Moderator
                  last edited by Dec 29, 2017, 11:25 PM

                  Well its fresh on my sg4860.. Upgrade to p1 from 2.4.2.. might of come with 2.4.0 that updated to 2.4.2 and then to p1.. Only had it a couple of weeks.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • V
                    v0lZy
                    last edited by Jan 31, 2018, 1:44 PM

                    Experiencing this issue now on 3 VMs …
                    Quick glance at the forum says I'm not alone.

                    Was anyone able to work this out?
                    Best regards
                    V

                    1 Reply Last reply Reply Quote 0
                    • R
                      reswob10
                      last edited by Feb 17, 2018, 5:18 PM

                      I had this same problem.  I tried a bunch of the solutions found from googling and such.

                      In my case, my NIC was bad. I swapped in a new NIC and the connection came up.

                      pfsense version didn't matter, client OS didn't matter.  NIC card fail.

                      6 hrs troubleshooting argh

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received