Zeroshell 3.0 router: VERIFY nsCertType ERROR

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Locked
nulluse
OpenVpn Newbie
Posts: 9
Joined: Sat Apr 16, 2016 6:06 pm

Zeroshell 3.0 router: VERIFY nsCertType ERROR

Post by nulluse » Sat Apr 16, 2016 6:13 pm

My user is trying to connect via host-to-lan VPN to my Zeroshell 3.0 router.
They are getting the errors as in the log below:

Code: Select all

Sat Apr 09 19:32:50 2016 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Apr 09 19:32:50 2016 Re-using SSL/TLS context
Sat Apr 09 19:32:50 2016 LZO compression initialized
Sat Apr 09 19:32:50 2016 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sat Apr 09 19:32:50 2016 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:23 ET:32 EL:0 AF:3/1 ]
Sat Apr 09 19:32:50 2016 Local Options hash (VER=V4): '31fdf004'
Sat Apr 09 19:32:50 2016 Expected Remote Options hash (VER=V4): '3e6d1056'
Sat Apr 09 19:32:50 2016 Attempting to establish TCP connection with 216.*.*.24:1194
Sat Apr 09 19:32:50 2016 TCP connection established with 216.*.*.24:1194
Sat Apr 09 19:32:50 2016 TCPv4_CLIENT link local: [undef]
Sat Apr 09 19:32:50 2016 TCPv4_CLIENT link remote: 216.*.*.24:1194
Sat Apr 09 19:32:50 2016 TLS: Initial packet from 216.*.*.24:1194, sid=f2bb5859 336e0bc4
Sat Apr 09 19:32:54 2016 VERIFY OK: depth=1, /C=IT/O=Zeroshell.net/OU=Example/CN=ZeroShell_Example_CA/emailAddress=Fulvio.Ricciardi@zeroshell.net
Sat Apr 09 19:32:54 2016 VERIFY nsCertType ERROR: /OU=Hosts/CN=router.domain.ca, require nsCertType=SERVER
Sat Apr 09 19:32:54 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Apr 09 19:32:54 2016 TLS Error: TLS object -> incoming plaintext read error
Sat Apr 09 19:32:54 2016 TLS Error: TLS handshake failed
Sat Apr 09 19:32:54 2016 Fatal TLS error (check_tls_errors_co), restarting
Sat Apr 09 19:32:54 2016 TCP/UDP: Closing socket
Sat Apr 09 19:32:54 2016 SIGUSR1[soft,tls-error] received, process restarting
Sat Apr 09 19:32:54 2016 Restart pause, 5 second(s)
We followed the instructions at http://www.zeroshell.org/openvpn-client/ and downloaded the sample config file http://www.zeroshell.org/download/zeroshell.ovpn and exported CA.pem file from the router login page. The user placed the config file and CA.pem into the

What are we doing wrong?

nulluse
OpenVpn Newbie
Posts: 9
Joined: Sat Apr 16, 2016 6:06 pm

Re: VERIFY nsCertType ERROR

Post by nulluse » Mon Apr 18, 2016 7:54 pm

What do we need to do to troubleshoot this issue?
Is there anything in the certificate that I should look at?

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: VERIFY nsCertType ERROR

Post by Traffic » Mon Apr 18, 2016 8:23 pm

nulluse wrote:Sat Apr 09 19:32:54 2016 VERIFY OK: depth=1, /C=IT/O=Zeroshell.net/OU=Example/CN=ZeroShell_Example_CA/emailAddress=Fulvio.Ricciardi@zeroshell.net
Sat Apr 09 19:32:54 2016 VERIFY nsCertType ERROR: /OU=Hosts/CN=router.domain.ca, require nsCertType=SERVER
Sat Apr 09 19:32:54 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I would say that you have not created your server certificate correctly.

Of course .. you have only posted 1 of 4 requirements ..

Please see the Forum rules (top of this page)
nulluse wrote:We followed the instructions at .......
I would also suggest you read the OpenVPN Official HOWTO:
HOWTO: For OpenVPN Community Edition

nulluse
OpenVpn Newbie
Posts: 9
Joined: Sat Apr 16, 2016 6:06 pm

Re: VERIFY nsCertType ERROR

Post by nulluse » Mon Apr 18, 2016 9:00 pm

Sorry, this is too cryptic for me: I posted 1 out of 4... what exactly?
If you are referring to the config file, than it is the one I linked above. The only difference of the actual file used is the external IP of the router box.

If you are referring to out certificate, than this is exactly what I am asking: what specifically in the certificate should I look at? The certificate is large and has lots of info. Posting it entirely for the world to see would defeat the purpose of VPN as anyone would be able to connect using that cert. So I have to post something from the cert, but don't know which parts. Do you agree?

You have pointed me at a 41 page document which I may not be able to follow, as it talks about running command-line tools, whereas in Zeroshell I only have a link on the log in page to download a CA.pem file that is generated when Zeroshell starts up for the 1st time.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: VERIFY nsCertType ERROR

Post by Traffic » Mon Apr 18, 2016 11:19 pm

Traffic wrote:Of course .. you have only posted 1 of 4 requirements ..

Please see the Forum rules (top of this page)
nulluse wrote:Sorry, this is too cryptic for me: I posted 1 out of 4... what exactly?
The rules are there to save this sort of banta ..

I suggest you read the EasyRSA README (included with easyrsa)

nulluse
OpenVpn Newbie
Posts: 9
Joined: Sat Apr 16, 2016 6:06 pm

Re: VERIFY nsCertType ERROR

Post by nulluse » Mon Apr 18, 2016 11:38 pm

Traffic wrote:
Traffic wrote:Of course .. you have only posted 1 of 4 requirements ..

Please see the Forum rules (top of this page)
nulluse wrote:Sorry, this is too cryptic for me: I posted 1 out of 4... what exactly?
The rules are there to save this sort of banta ..

I suggest you read the EasyRSA README (included with easyrsa)
This was very rude and totally uncalled for.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: VERIFY nsCertType ERROR

Post by Traffic » Mon Apr 18, 2016 11:48 pm

Give a man a fish .. vs .. teach a man to fish .. 8-)

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: VERIFY nsCertType ERROR

Post by Traffic » Tue Apr 19, 2016 12:30 pm

There are two ways to designate a certificate as a server:
  • nscerttype server (deprecated)
  • remote-cert-tls server
There may be more but these are documented by EasyRSA .. so read the README/vars file for EasyRSA

I suspect you are using the wrong designation in your config. (which you have not posted)

nulluse
OpenVpn Newbie
Posts: 9
Joined: Sat Apr 16, 2016 6:06 pm

Re: VERIFY nsCertType ERROR

Post by nulluse » Tue Apr 19, 2016 1:26 pm

Traffic wrote:There are two ways to designate a certificate as a server:
  • nscerttype server (deprecated)
  • remote-cert-tls server
There may be more but these are documented by EasyRSA .. so read the README/vars file for EasyRSA

I suspect you are using the wrong designation in your config. (which you have not posted)
Thanks for the tip, but the last part is not true.
There is a link in the original post: http://www.zeroshell.org/download/zeroshell.ovpn
The Zeroshell users are only supposed to change the server IP address as per the 1st link in the original post. That is what we have done.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: VERIFY nsCertType ERROR

Post by Traffic » Tue Apr 19, 2016 1:49 pm

Sorry .. I am not debugging Zeroshell tutorials .. I suggest you ask on Zeroshell Forum ..

Regards

nulluse
OpenVpn Newbie
Posts: 9
Joined: Sat Apr 16, 2016 6:06 pm

Re: VERIFY nsCertType ERROR

Post by nulluse » Tue Apr 19, 2016 1:50 pm

The certificate seems to have netscape server purpose included.
Is that what you are talking about?
Is that certificate not good to be used with OpenVpn?
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No

nulluse
OpenVpn Newbie
Posts: 9
Joined: Sat Apr 16, 2016 6:06 pm

Re: VERIFY nsCertType ERROR

Post by nulluse » Tue Apr 19, 2016 1:52 pm

Traffic wrote:Sorry .. I am not debugging Zeroshell tutorials .. I suggest you ask on Zeroshell Forum ..

Regards
No one ever asked you to debug a Zeroshell tutorial. I never even posted a link to one.
Here's a config I am using, here's OpenVpn error log - I was asking what specifically was OpenVpn not happy about.

User avatar
Traffic
OpenVPN Protagonist
Posts: 4066
Joined: Sat Aug 09, 2014 11:24 am

Re: Zeroshell 3.0 router: VERIFY nsCertType ERROR

Post by Traffic » Tue Apr 19, 2016 1:59 pm

nulluse wrote:No one ever asked you to debug a Zeroshell tutorial. I never even posted a link to one.
nulluse wrote:We followed the instructions at http://www.zeroshell.org/openvpn-client/
On my HD monitor that Tutorial runs to about 12 pages.
nulluse wrote:The certificate seems to have netscape server purpose included.
Traffic wrote:There are two ways to designate a certificate as a server:
  • --ns-cert-type server (deprecated)
  • --remote-cert-tls server
See --those options in The Manual v23x

Good luck.

nulluse
OpenVpn Newbie
Posts: 9
Joined: Sat Apr 16, 2016 6:06 pm

Re: Zeroshell 3.0 router: VERIFY nsCertType ERROR

Post by nulluse » Tue Apr 19, 2016 2:15 pm

The user is running OpenVPN GUI. Is OpenVpn GUI using those parameters by default?

nulluse
OpenVpn Newbie
Posts: 9
Joined: Sat Apr 16, 2016 6:06 pm

Re: Zeroshell 3.0 router: VERIFY nsCertType ERROR

Post by nulluse » Thu Apr 21, 2016 8:21 pm

Never mind! This was resolved by making some changes to the server configuration.
The error message was very misleading as there was nothing wrong with the certificate or config file.

bonne
OpenVpn Newbie
Posts: 13
Joined: Sun Jun 14, 2015 8:01 am

Re: Zeroshell 3.0 router: VERIFY nsCertType ERROR

Post by bonne » Mon Sep 04, 2017 10:08 pm

Which changes did you make? I am getting this error when connection MAC clients with Tunnelblick, but not when using OpenVPN client on Windows.

Server cert was build with ./easyrsa build-server-full <servername> nopass

Regards, LArs.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Zeroshell 3.0 router: VERIFY nsCertType ERROR

Post by TinCanTech » Tue Sep 05, 2017 12:26 pm


Locked