Client certificate check = Processing of the Certificate handshake message failed

Scripts to manage certificates or generate config files
Post Reply
pparent
OpenVpn Newbie
Posts: 5
Joined: Fri Apr 13, 2018 10:57 am

Client certificate check = Processing of the Certificate handshake message failed

Post by pparent » Fri Apr 13, 2018 11:02 am

Hi,

When activating client certificate check I get the following error. It works fine with "verify-client-cert none". I can't figure out what's happening.

Code: Select all

RFri Apr 13 10:54:14 2018 us=284429 192.168.1.1:42300 TLS: Initial packet from [AF_INET]192.168.1.1:42300, sid=21d25947 a8752e76
WRRWWRRWRFri Apr 13 10:54:17 2018 us=187049 192.168.1.1:42300 VERIFY OK: depth=1, C=FR, ST=France, L=Rennes, O=digze, OU=Lead, CN=digze CA, ??=Pierre Parent, emailAddress=pierre.parent@digze.net
Fri Apr 13 10:54:17 2018 us=190479 192.168.1.1:42300 Validating certificate key usage
Fri Apr 13 10:54:17 2018 us=190899 192.168.1.1:42300 VERIFY KU OK
Fri Apr 13 10:54:17 2018 us=191255 192.168.1.1:42300 Validating certificate extended key usage
Fri Apr 13 10:54:17 2018 us=191621 192.168.1.1:42300 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Apr 13 10:54:17 2018 us=191979 192.168.1.1:42300 VERIFY EKU OK
Fri Apr 13 10:54:17 2018 us=192344 192.168.1.1:42300 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=client, ??=EasyRSA, emailAddress=me@myhost.mydomain
Fri Apr 13 10:54:17 2018 us=192765 192.168.1.1:42300 TLS_ERROR: read tls_read_plaintext error: SSL - Processing of the Certificate handshake message failed
Fri Apr 13 10:54:17 2018 us=193396 192.168.1.1:42300 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 13 10:54:17 2018 us=193755 192.168.1.1:42300 TLS Error: TLS handshake failed
Fri Apr 13 10:54:17 2018 us=195742 192.168.1.1:42300 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 13 10:54:17 2018 us=196180 192.168.1.1:42300 SIGUSR1[soft,tls-error] received, client-instance restarting
Fri Apr 13 10:54:17 2018 us=197745 TCP/UDP: Closing socket
Here are my conf files

Code: Select all

#mode server
tls-server
mode server

# Local ip_machine
# local 192.168.1.1

# Le port utilisé
port 1194
# TCP or UDP
proto tcp-server
# Interface réseau à monter (tap0 car bridgé)
dev tap0

# # Certificat auto-signé de notre autorité de certification
ca /etc/openvpn/keys/ca.crt
# # Certificat serveur
cert /etc/openvpn/keys/myserver.crt
# # Clé serveur
key /etc/openvpn/keys/myserver.key
# Paramètres cryptage
dh /etc/openvpn/keys/dh2048.pem

# Pour que les clients puissent se voir entre eux
client-to-client

remote-cert-tls server

# Ping toutes les 5 secondes, si pas de réponse au bout de 30 secondes, le tunnel est coupé
keepalive 5 30
# Compression pour accélérer le trafic
# comp-lzo

# Username and Password authentication.
verify-client-cert require
script-security 2
auth-user-pass-verify /etc/openvpn/server-passwords-check.sh  via-file
#plugin /usr/lib/openvpn/openvpn-auth-pam.so login

persist-key
persist-tun

## Chemin du fichier de log
log-append /var/log/openvpn/server.log

# Niveau détail log de 0 à 9
verb 5

Code: Select all

client

dev tap0

proto tcp

remote x.x.154.82 443

persist-key
persist-tun


# SSL/TLS parms.
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client.crt
key /etc/openvpn/keys/client.key

remote-cert-tls server

# Paramètres cryptage
dh /etc/openvpn/keys/dh2048.pem
# cipher AES-256-CBC
auth-user-pass /etc/openvpn/client-password

# # Enable compression on the VPN link.
# comp-lzo

## Chemin du fichier de log
log-append /var/log/openvpn/client.log

# Set log file verbosity.
verb 5
I'm working on 2.4.4. Any idea?

Thanks a lot in advance!
Last edited by pparent on Fri Apr 13, 2018 3:42 pm, edited 1 time in total.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4295
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client certificate check = Processing of the Certificate handshake message failed

Post by TinCanTech » Fri Apr 13, 2018 12:45 pm

pparent wrote:
Fri Apr 13, 2018 11:02 am
When activating client certificate check I get the following error. It works fine with "verify-client-cert none". I can't figure out what's happening.
From your log:
RFri Apr 13 10:54:14 2018 us=284429 192.168.1.1:42300 TLS: Initial packet from [AF_INET]192.168.1.1:42300, sid=21d25947 a8752e76
WRRWWRRWRFri Apr 13 10:54:17 2018 us=187049 192.168.1.1:42300 VERIFY OK: depth=1, C=FR, ST=France, L=Rennes, O=Bridge-box, OU=Lead, CN=Bridge-box CA, ??=Pierre Parent, emailAddress=pierre.parent@bridge-box.net
Fri Apr 13 10:54:17 2018 us=190479 192.168.1.1:42300 Validating certificate key usage
Fri Apr 13 10:54:17 2018 us=190899 192.168.1.1:42300 VERIFY KU OK
Fri Apr 13 10:54:17 2018 us=191255 192.168.1.1:42300 Validating certificate extended key usage
Fri Apr 13 10:54:17 2018 us=191621 192.168.1.1:42300 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Apr 13 10:54:17 2018 us=191979 192.168.1.1:42300 VERIFY EKU OK
Fri Apr 13 10:54:17 2018 us=192344 192.168.1.1:42300 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=client, ??=EasyRSA, emailAddress=me@myhost.mydomain
Fri Apr 13 10:54:17 2018 us=192765 192.168.1.1:42300 TLS_ERROR: read tls_read_plaintext error: SSL - Processing of the Certificate handshake message failed
Fri Apr 13 10:54:17 2018 us=193396 192.168.1.1:42300 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 13 10:54:17 2018 us=193755 192.168.1.1:42300 TLS Error: TLS handshake failed
Fri Apr 13 10:54:17 2018 us=195742 192.168.1.1:42300 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 13 10:54:17 2018 us=196180 192.168.1.1:42300 SIGUSR1[soft,tls-error] received, client-instance restarting
Fri Apr 13 10:54:17 2018 us=197745 TCP/UDP: Closing socket
Maybe try using the correct PKI for the client cert .. ?

pparent
OpenVpn Newbie
Posts: 5
Joined: Fri Apr 13, 2018 10:57 am

Re: Client certificate check = Processing of the Certificate handshake message failed

Post by pparent » Fri Apr 13, 2018 3:42 pm

Ok thank's a lot and sorry for this silly question.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4295
Joined: Fri Jun 03, 2016 1:17 pm

Re: Client certificate check = Processing of the Certificate handshake message failed

Post by TinCanTech » Fri Apr 13, 2018 7:54 pm

If that fixed then .cool

pparent
OpenVpn Newbie
Posts: 5
Joined: Fri Apr 13, 2018 10:57 am

Re: Client certificate check = Processing of the Certificate handshake message failed

Post by pparent » Sat Apr 14, 2018 7:42 am

It did, I regenerated the keys and certificates and it worked. The old ones, may not have been generated with the same CA, or something like this, because I made a lot of testing at that time.

Post Reply