VERIFY ERROR: depth=1, error=certificate signature failure: /CN=Easy-RSA_CA

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: VERIFY ERROR: depth=1, error=certificate signature failure: /CN=Easy-RSA_CA

Post by TinCanTech » Wed Jul 06, 2016 12:56 pm

A quick review:
thomaslauer wrote:My openvpn server is the kylemanna/docker-openvpn
I have not tried it but you say it works.
thomaslauer wrote:with windows an ios client i have no problems
Good.
thomaslauer wrote:when i use the yealink phone i must generate a .tar file with keys an vpn.cnf
Then this is probably the step that goes wrong .. try again but copy the .tar file to windows client and unpack it then see if you get an error like the phone. You could also try this with inline certificates in the config.

Out of curiosity, how do you install openvpn on the phone or is it pre-installed and what openvpn version is it ?

thomaslauer
OpenVPN User
Posts: 20
Joined: Tue Jul 05, 2016 1:10 pm

Re: VERIFY ERROR: depth=1, error=certificate signature failure: /CN=Easy-RSA_CA

Post by thomaslauer » Wed Jul 06, 2016 1:22 pm

I test my windows client with this konfig

Code: Select all

client
verb 4
nobind
dev tun
dev-type tun
remote-cert-tls server



remote asawhp.mydomain.net 1194 udp

redirect-gateway def1
ca ca.crt
cert client.crt
key client.key
tls-auth ta.key 1

an it runs is use the same certificates

the open vpn is preinstalled

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: VERIFY ERROR: depth=1, error=certificate signature failure: /CN=Easy-RSA_CA

Post by TinCanTech » Wed Jul 06, 2016 1:33 pm

I think you will have to take this to the yealink phone support channel.

thomaslauer
OpenVPN User
Posts: 20
Joined: Tue Jul 05, 2016 1:10 pm

Re: VERIFY ERROR: depth=1, error=certificate signature failure: /CN=Easy-RSA_CA

Post by thomaslauer » Wed Jul 06, 2016 2:44 pm

I have already tried . Unfortunately, I 've been waiting 2 weeks for a response

thomaslauer
OpenVPN User
Posts: 20
Joined: Tue Jul 05, 2016 1:10 pm

Re: VERIFY ERROR: depth=1, error=certificate signature failure: /CN=Easy-RSA_CA

Post by thomaslauer » Wed Jul 06, 2016 2:58 pm

i find in the yealink support forum this information:
for this issue, make sure that the signature algorithm of the certificates are correct , VPN of T46 doesn't support SHA256, it should use SHA1 or MD5, you can change it in "openssl.cnf" file , change sentence :

"default_md = sha256"

change to :

"default_md = md5"

"openssl.cnf" file in windows: Open VPN --- easy-rsa --- the file begin with openssl, it may be openssl-1.1.1.cnf or some like this
"openssl.cnf" file in linux: easy-rsa or the subdirectories under it ,also begin with openssl
do you think that might solve my problem ?
must i create all certificates new?

best regards
Thomas

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: VERIFY ERROR: depth=1, error=certificate signature failure: /CN=Easy-RSA_CA

Post by TinCanTech » Wed Jul 06, 2016 7:13 pm

It certainly looks like the problem you are experiencing.

thomaslauer
OpenVPN User
Posts: 20
Joined: Tue Jul 05, 2016 1:10 pm

Re: VERIFY ERROR: depth=1, error=certificate signature failure: /CN=Easy-RSA_CA

Post by thomaslauer » Wed Jul 13, 2016 7:54 pm

HI,

i have now change my config for md5 certificate signature. The error messages on the phone now

Code: Select all

Message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity) 
Message: TLS Error: TLS handshake failed
my clent config file is

Code: Select all

client
nobind
dev tun
#remote-cert-tls server

remote xxxxxx.net 1194 udp



#key-direction 1

redirect-gateway def1
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key
best regards
Thomas

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: VERIFY ERROR: depth=1, error=certificate signature failure: /CN=Easy-RSA_CA

Post by TinCanTech » Wed Jul 13, 2016 8:04 pm

thomaslauer wrote:i have now change my config for md5 certificate signature
and you created an all new PKI ?

thomaslauer
OpenVPN User
Posts: 20
Joined: Tue Jul 05, 2016 1:10 pm

Re: VERIFY ERROR: depth=1, error=certificate signature failure: /CN=Easy-RSA_CA

Post by thomaslauer » Wed Jul 13, 2016 8:08 pm

yes i create a new pki

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: VERIFY ERROR: depth=1, error=certificate signature failure: /CN=Easy-RSA_CA

Post by TinCanTech » Wed Jul 13, 2016 8:38 pm

thomaslauer wrote:The error messages on the phone now

Code: Select all

Message: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Message: TLS Error: TLS handshake failed
This usually means your network is blocking you ..

Note:
  • The better the information you provide the better we can help.
  • Please do not post publicly identifiable data, like DNS host names or host names as the name of certificates.

Post Reply