Scripts to manage certificates or generate config files
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
nulluse
- OpenVpn Newbie
- Posts: 9
- Joined: Sat Apr 16, 2016 6:06 pm
Post
by nulluse » Sat Apr 16, 2016 6:13 pm
My user is trying to connect via host-to-lan VPN to my Zeroshell 3.0 router.
They are getting the errors as in the log below:
Code: Select all
Sat Apr 09 19:32:50 2016 IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Sat Apr 09 19:32:50 2016 Re-using SSL/TLS context
Sat Apr 09 19:32:50 2016 LZO compression initialized
Sat Apr 09 19:32:50 2016 Control Channel MTU parms [ L:1576 D:140 EF:40 EB:0 ET:0 EL:0 ]
Sat Apr 09 19:32:50 2016 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:23 ET:32 EL:0 AF:3/1 ]
Sat Apr 09 19:32:50 2016 Local Options hash (VER=V4): '31fdf004'
Sat Apr 09 19:32:50 2016 Expected Remote Options hash (VER=V4): '3e6d1056'
Sat Apr 09 19:32:50 2016 Attempting to establish TCP connection with 216.*.*.24:1194
Sat Apr 09 19:32:50 2016 TCP connection established with 216.*.*.24:1194
Sat Apr 09 19:32:50 2016 TCPv4_CLIENT link local: [undef]
Sat Apr 09 19:32:50 2016 TCPv4_CLIENT link remote: 216.*.*.24:1194
Sat Apr 09 19:32:50 2016 TLS: Initial packet from 216.*.*.24:1194, sid=f2bb5859 336e0bc4
Sat Apr 09 19:32:54 2016 VERIFY OK: depth=1, /C=IT/O=Zeroshell.net/OU=Example/CN=ZeroShell_Example_CA/emailAddress=Fulvio.Ricciardi@zeroshell.net
Sat Apr 09 19:32:54 2016 VERIFY nsCertType ERROR: /OU=Hosts/CN=router.domain.ca, require nsCertType=SERVER
Sat Apr 09 19:32:54 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Apr 09 19:32:54 2016 TLS Error: TLS object -> incoming plaintext read error
Sat Apr 09 19:32:54 2016 TLS Error: TLS handshake failed
Sat Apr 09 19:32:54 2016 Fatal TLS error (check_tls_errors_co), restarting
Sat Apr 09 19:32:54 2016 TCP/UDP: Closing socket
Sat Apr 09 19:32:54 2016 SIGUSR1[soft,tls-error] received, process restarting
Sat Apr 09 19:32:54 2016 Restart pause, 5 second(s)
We followed the instructions at
http://www.zeroshell.org/openvpn-client/ and downloaded the sample config file
http://www.zeroshell.org/download/zeroshell.ovpn and exported CA.pem file from the router login page. The user placed the config file and CA.pem into the
What are we doing wrong?
-
nulluse
- OpenVpn Newbie
- Posts: 9
- Joined: Sat Apr 16, 2016 6:06 pm
Post
by nulluse » Mon Apr 18, 2016 7:54 pm
What do we need to do to troubleshoot this issue?
Is there anything in the certificate that I should look at?
-
Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Post
by Traffic » Mon Apr 18, 2016 8:23 pm
nulluse wrote:Sat Apr 09 19:32:54 2016 VERIFY OK: depth=1, /C=IT/O=Zeroshell.net/OU=Example/CN=ZeroShell_Example_CA/emailAddress=
Fulvio.Ricciardi@zeroshell.net
Sat Apr 09 19:32:54 2016 VERIFY
nsCertType ERROR: /OU=Hosts/CN=router.domain.ca, require
nsCertType=SERVER
Sat Apr 09 19:32:54 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
I would say that you have not created your server certificate correctly.
Of course .. you have only posted 1 of 4 requirements ..
Please see the
Forum rules (top of this page)
nulluse wrote:We followed the instructions at .......
I would also suggest you read the OpenVPN Official HOWTO:
HOWTO: For OpenVPN Community Edition
-
nulluse
- OpenVpn Newbie
- Posts: 9
- Joined: Sat Apr 16, 2016 6:06 pm
Post
by nulluse » Mon Apr 18, 2016 9:00 pm
Sorry, this is too cryptic for me: I posted 1 out of 4... what exactly?
If you are referring to the config file, than it is the one I linked above. The only difference of the actual file used is the external IP of the router box.
If you are referring to out certificate, than this is exactly what I am asking: what specifically in the certificate should I look at? The certificate is large and has lots of info. Posting it entirely for the world to see would defeat the purpose of VPN as anyone would be able to connect using that cert. So I have to post something from the cert, but don't know which parts. Do you agree?
You have pointed me at a 41 page document which I may not be able to follow, as it talks about running command-line tools, whereas in Zeroshell I only have a link on the log in page to download a CA.pem file that is generated when Zeroshell starts up for the 1st time.
-
Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Post
by Traffic » Mon Apr 18, 2016 11:19 pm
Traffic wrote:Of course .. you have only posted 1 of 4 requirements ..
Please see the Forum rules (top of this page)
nulluse wrote:Sorry, this is too cryptic for me: I posted 1 out of 4... what exactly?
The rules are there to save this sort of
banta ..
I suggest you read the EasyRSA README (included with easyrsa)
-
nulluse
- OpenVpn Newbie
- Posts: 9
- Joined: Sat Apr 16, 2016 6:06 pm
Post
by nulluse » Mon Apr 18, 2016 11:38 pm
Traffic wrote:Traffic wrote:Of course .. you have only posted 1 of 4 requirements ..
Please see the Forum rules (top of this page)
nulluse wrote:Sorry, this is too cryptic for me: I posted 1 out of 4... what exactly?
The rules are there to save this sort of
banta ..
I suggest you read the EasyRSA README (included with easyrsa)
This was very rude and totally uncalled for.
-
Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Post
by Traffic » Mon Apr 18, 2016 11:48 pm
Give a man a fish .. vs .. teach a man to fish ..
-
Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Post
by Traffic » Tue Apr 19, 2016 12:30 pm
There are two ways to designate a certificate as a server:
- nscerttype server (deprecated)
- remote-cert-tls server
There may be more but these are documented by EasyRSA .. so read the README/vars file for EasyRSA
I suspect you are using the wrong designation in your config. (which you have not posted)
-
nulluse
- OpenVpn Newbie
- Posts: 9
- Joined: Sat Apr 16, 2016 6:06 pm
Post
by nulluse » Tue Apr 19, 2016 1:26 pm
Traffic wrote:There are two ways to designate a certificate as a server:
- nscerttype server (deprecated)
- remote-cert-tls server
There may be more but these are documented by EasyRSA .. so read the README/vars file for EasyRSA
I suspect you are using the wrong designation in your config. (which you have not posted)
Thanks for the tip, but the last part is not true.
There is a link in the original post:
http://www.zeroshell.org/download/zeroshell.ovpn
The Zeroshell users are only supposed to change the server IP address as per the 1st link in the original post. That is what we have done.
-
Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Post
by Traffic » Tue Apr 19, 2016 1:49 pm
Sorry .. I am not debugging Zeroshell tutorials .. I suggest you ask on Zeroshell Forum ..
Regards
-
nulluse
- OpenVpn Newbie
- Posts: 9
- Joined: Sat Apr 16, 2016 6:06 pm
Post
by nulluse » Tue Apr 19, 2016 1:50 pm
The certificate seems to have netscape server purpose included.
Is that what you are talking about?
Is that certificate not good to be used with OpenVpn?
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
-
nulluse
- OpenVpn Newbie
- Posts: 9
- Joined: Sat Apr 16, 2016 6:06 pm
Post
by nulluse » Tue Apr 19, 2016 1:52 pm
Traffic wrote:Sorry .. I am not debugging Zeroshell tutorials .. I suggest you ask on Zeroshell Forum ..
Regards
No one ever asked you to debug a Zeroshell tutorial. I never even posted a link to one.
Here's a config I am using, here's OpenVpn error log - I was asking what specifically was OpenVpn not happy about.
-
Traffic
- OpenVPN Protagonist
- Posts: 4066
- Joined: Sat Aug 09, 2014 11:24 am
Post
by Traffic » Tue Apr 19, 2016 1:59 pm
nulluse wrote:No one ever asked you to debug a Zeroshell tutorial. I never even posted a link to one.
On my HD monitor that
Tutorial runs to about 12 pages.
nulluse wrote:The certificate seems to have netscape server purpose included.
Traffic wrote:There are two ways to designate a certificate as a server:
- --ns-cert-type server (deprecated)
- --remote-cert-tls server
See
--those options in
The Manual v23x
Good luck.
-
nulluse
- OpenVpn Newbie
- Posts: 9
- Joined: Sat Apr 16, 2016 6:06 pm
Post
by nulluse » Tue Apr 19, 2016 2:15 pm
The user is running OpenVPN GUI. Is OpenVpn GUI using those parameters by default?
-
nulluse
- OpenVpn Newbie
- Posts: 9
- Joined: Sat Apr 16, 2016 6:06 pm
Post
by nulluse » Thu Apr 21, 2016 8:21 pm
Never mind! This was resolved by making some changes to the server configuration.
The error message was very misleading as there was nothing wrong with the certificate or config file.
-
bonne
- OpenVpn Newbie
- Posts: 13
- Joined: Sun Jun 14, 2015 8:01 am
Post
by bonne » Mon Sep 04, 2017 10:08 pm
Which changes did you make? I am getting this error when connection MAC clients with Tunnelblick, but not when using OpenVPN client on Windows.
Server cert was build with ./easyrsa build-server-full <servername> nopass
Regards, LArs.
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Tue Sep 05, 2017 12:26 pm