OpenVPN Client - VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=...

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See https://forums.openvpn.net/viewtopic.php?f=30&t=21589 for an example.
mlbiam
OpenVpn Newbie
Posts: 2
Joined: Sat Jun 10, 2017 9:57 am

OpenVPN Client - VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=...

Postby mlbiam » Sat Jun 10, 2017 10:35 am

I have 2 OpenVPN servers up and running with multiple clients working. I'm trying to add a Fedora 25 client running openvpn:

Code: Select all

OpenVPN 2.4.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 11 2017
library versions: OpenSSL 1.0.2k-fips  26 Jan 2017, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_iproute2=yes enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=yes enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no


When I try to connect to my vpn with the same config and certs that work on Tunnlbrk and OpenVPN on iOS i get the following error:

Sat Jun 10 06:20:11 2017 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=XXXXXX. Root CA, ST=Virginia, C=US, O=XXXXX, OU=PKI
Sat Jun 10 06:20:11 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Sat Jun 10 06:20:11 2017 TLS_ERROR: BIO read tls_read_plaintext error
Sat Jun 10 06:20:11 2017 TLS Error: TLS object -> incoming plaintext read error
Sat Jun 10 06:20:11 2017 TLS Error: TLS handshake failed
Sat Jun 10 06:20:11 2017 Fatal TLS error (check_tls_errors_co), restarting
Sat Jun 10 06:20:11 2017 SIGUSR1[soft,tls-error] received, process restarting


The cert is valid, 2048 bit key size with sha256. Its the exact same certs as used on other clients. I tried adding the server's ca cert to /etc/pki/ca-trust/source/anchors but with no luck. Running openssl check works. What am I missing?

Thanks

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2420
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN Client - VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=...

Postby TinCanTech » Sat Jun 10, 2017 1:36 pm

mlbiam wrote:I tried adding the server's ca cert to /etc/pki/ca-trust/source/anchors but with no luck
why ?

Your config files may help ..

mlbiam
OpenVpn Newbie
Posts: 2
Joined: Sat Jun 10, 2017 9:57 am

Re: OpenVPN Client - VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=...

Postby mlbiam » Sun Jun 11, 2017 12:09 pm

turned out i had the wrong certs

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 2420
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN Client - VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=...

Postby TinCanTech » Sun Jun 11, 2017 12:51 pm

Ahh, thanks for letting us know 8-)


Return to “Server Administration”

Who is online

Users browsing this forum: No registered users and 7 guests