error=unsupported certificate purpose

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
tiba
OpenVpn Newbie
Posts: 3
Joined: Thu Feb 23, 2017 7:40 pm

error=unsupported certificate purpose

Post by tiba » Thu Feb 23, 2017 7:46 pm

Hello,

When i try to connect to my server i've got this message from openvpn windows :

Code: Select all

Thu Feb 23 20:44:47 2017 Validating certificate key usage
Thu Feb 23 20:44:47 2017 ++ Certificate has key usage  00a0, expects 00a0
Thu Feb 23 20:44:47 2017 VERIFY KU OK
Thu Feb 23 20:44:47 2017 Validating certificate extended key usage
Thu Feb 23 20:44:47 2017 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Thu Feb 23 20:44:47 2017 VERIFY EKU OK
Thu Feb 23 20:44:47 2017 VERIFY OK: depth=0, C=FR, ST=75, L=PARIS, O=RADOM, OU=RADOM, CN=server, name=RADO
And in my log file from server :

Code: Select all

Thu Feb 23 20:42:41 2017 192.168.1.1:2047 TLS: Initial packet from [AF_INET]192.168.1.1:2047, sid=19d7601c c1a600f9
Thu Feb 23 20:42:41 2017 192.168.1.1:2047 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=FR, ST=75, L=PARIS, O=RADOM, OU=RADOM, CN=radom, name=RADOM, emailAddress=mail@host.domain
Thu Feb 23 20:42:41 2017 192.168.1.1:2047 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Thu Feb 23 20:42:41 2017 192.168.1.1:2047 TLS_ERROR: BIO read tls_read_plaintext error
Thu Feb 23 20:42:41 2017 192.168.1.1:2047 TLS Error: TLS object -> incoming plaintext read error
Thu Feb 23 20:42:41 2017 192.168.1.1:2047 TLS Error: TLS handshake failed
Thu Feb 23 20:42:41 2017 192.168.1.1:2047 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb 23 20:43:44 2017 192.168.1.1:2057 TLS: Initial packet from [AF_INET]192.168.1.1:2057, sid=c150b3d4 ca3e15ad
Thu Feb 23 20:43:44 2017 192.168.1.1:2057 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=FR, ST=75, L=PARIS, O=RADOM, OU=RADOM, CN=radom, name=RADOM, emailAddress=mail@host.domain
Thu Feb 23 20:43:44 2017 192.168.1.1:2057 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Thu Feb 23 20:43:44 2017 192.168.1.1:2057 TLS_ERROR: BIO read tls_read_plaintext error
Thu Feb 23 20:43:44 2017 192.168.1.1:2057 TLS Error: TLS object -> incoming plaintext read error
Thu Feb 23 20:43:44 2017 192.168.1.1:2057 TLS Error: TLS handshake failed
Thu Feb 23 20:43:44 2017 192.168.1.1:2057 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb 23 20:44:45 2017 192.168.1.1:2074 TLS: Initial packet from [AF_INET]192.168.1.1:2074, sid=a6494cdf 96e2edb2
Thu Feb 23 20:44:45 2017 192.168.1.1:2074 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=FR, ST=75, L=PARIS, O=RADOM, OU=RADOM, CN=radom, name=RADOM, emailAddress=mail@host.domain
Thu Feb 23 20:44:45 2017 192.168.1.1:2074 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Thu Feb 23 20:44:45 2017 192.168.1.1:2074 TLS_ERROR: BIO read tls_read_plaintext error
Thu Feb 23 20:44:45 2017 192.168.1.1:2074 TLS Error: TLS object -> incoming plaintext read error
Thu Feb 23 20:44:45 2017 192.168.1.1:2074 TLS Error: TLS handshake failed
Thu Feb 23 20:44:45 2017 192.168.1.1:2074 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Feb 23 20:45:47 2017 192.168.1.1:2085 TLS: Initial packet from [AF_INET]192.168.1.1:2085, sid=9f9fa5dd 51394d3e
Thu Feb 23 20:45:47 2017 192.168.1.1:2085 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=FR, ST=75, L=PARIS, O=RADOM, OU=RADOM, CN=radom, name=RADOM, emailAddress=mail@host.domain
Thu Feb 23 20:45:47 2017 192.168.1.1:2085 OpenSSL: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Thu Feb 23 20:45:47 2017 192.168.1.1:2085 TLS_ERROR: BIO read tls_read_plaintext error
Thu Feb 23 20:45:47 2017 192.168.1.1:2085 TLS Error: TLS object -> incoming plaintext read error
Thu Feb 23 20:45:47 2017 192.168.1.1:2085 TLS Error: TLS handshake failed
Thu Feb 23 20:45:47 2017 192.168.1.1:2085 SIGUSR1[soft,tls-error] received, client-instance restarting
Any idea ?

Thanks

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Help for config openvpn

Post by TinCanTech » Thu Feb 23, 2017 9:08 pm

tiba wrote:And in my log file from server :

Code: Select all
Thu Feb 23 20:42:41 2017 192.168.1.1:2047 TLS: Initial packet from [AF_INET]192.168.1.1:2047, sid=19d7601c c1a600f9
Thu Feb 23 20:42:41 2017 192.168.1.1:2047 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=FR, ST=75, L=PARIS, O=RADOM, OU=RADOM, CN=radom, name=RADOM, emailAddress=mail
How did you create your PKI ?

tiba
OpenVpn Newbie
Posts: 3
Joined: Thu Feb 23, 2017 7:40 pm

Re: Help for config openvpn

Post by tiba » Fri Feb 24, 2017 5:01 am

Hello,

Thanks for your response.
I fallow this tutorial :

http://www.capi-ears.com/tutoriel-infor ... r-windows/

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Help for config openvpn

Post by TinCanTech » Fri Feb 24, 2017 11:52 am

Please report your problem to the author of that guide ..

We only support the official HOWTO:
https://openvpn.net/index.php/open-sour ... o.html#pki

tiba
OpenVpn Newbie
Posts: 3
Joined: Thu Feb 23, 2017 7:40 pm

Re: error=unsupported certificate purpose

Post by tiba » Fri Feb 24, 2017 6:52 pm

Hi,

Thanks for the tutorial HOWTO i' will try this.

NginUS
OpenVpn Newbie
Posts: 2
Joined: Sat Jun 24, 2017 3:16 pm

Re: error=unsupported certificate purpose

Post by NginUS » Sat Jun 24, 2017 3:22 pm

I got the same error following this tutorial http://blog.ssdnodes.com/blog/tutorial- ... untu-16.04

When I run openvpn --client --config /path/to/filename.ovpn --ca /path/to/ca.crt _without_ sudo I get error=unsupported certificate purpose:, but with sudo that part's omitted.

I see here viewtopic.php?t=18550 it needs to be different, but don't know how to make it that way. Ideally I could just undo what I have wrong & make just that part right, but I don't know what I'm doing well enough to do anything other than aptitude purge, delete stuff & start the whole thing over.

This too http://blog.schmoigl-online.de/?p=787

I see you don't support other tutorials, so I don't have much hope at this point...

Post Reply