When activating client certificate check I get the following error. It works fine with "verify-client-cert none". I can't figure out what's happening.
Code: Select all
RFri Apr 13 10:54:14 2018 us=284429 192.168.1.1:42300 TLS: Initial packet from [AF_INET]192.168.1.1:42300, sid=21d25947 a8752e76
WRRWWRRWRFri Apr 13 10:54:17 2018 us=187049 192.168.1.1:42300 VERIFY OK: depth=1, C=FR, ST=France, L=Rennes, O=digze, OU=Lead, CN=digze CA, ??=Pierre Parent, emailAddress=pierre.parent@digze.net
Fri Apr 13 10:54:17 2018 us=190479 192.168.1.1:42300 Validating certificate key usage
Fri Apr 13 10:54:17 2018 us=190899 192.168.1.1:42300 VERIFY KU OK
Fri Apr 13 10:54:17 2018 us=191255 192.168.1.1:42300 Validating certificate extended key usage
Fri Apr 13 10:54:17 2018 us=191621 192.168.1.1:42300 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
Fri Apr 13 10:54:17 2018 us=191979 192.168.1.1:42300 VERIFY EKU OK
Fri Apr 13 10:54:17 2018 us=192344 192.168.1.1:42300 VERIFY OK: depth=0, C=US, ST=CA, L=SanFrancisco, O=Fort-Funston, OU=MyOrganizationalUnit, CN=client, ??=EasyRSA, emailAddress=me@myhost.mydomain
Fri Apr 13 10:54:17 2018 us=192765 192.168.1.1:42300 TLS_ERROR: read tls_read_plaintext error: SSL - Processing of the Certificate handshake message failed
Fri Apr 13 10:54:17 2018 us=193396 192.168.1.1:42300 TLS Error: TLS object -> incoming plaintext read error
Fri Apr 13 10:54:17 2018 us=193755 192.168.1.1:42300 TLS Error: TLS handshake failed
Fri Apr 13 10:54:17 2018 us=195742 192.168.1.1:42300 Fatal TLS error (check_tls_errors_co), restarting
Fri Apr 13 10:54:17 2018 us=196180 192.168.1.1:42300 SIGUSR1[soft,tls-error] received, client-instance restarting
Fri Apr 13 10:54:17 2018 us=197745 TCP/UDP: Closing socket
Code: Select all
#mode server
tls-server
mode server
# Local ip_machine
# local 192.168.1.1
# Le port utilisé
port 1194
# TCP or UDP
proto tcp-server
# Interface réseau à monter (tap0 car bridgé)
dev tap0
# # Certificat auto-signé de notre autorité de certification
ca /etc/openvpn/keys/ca.crt
# # Certificat serveur
cert /etc/openvpn/keys/myserver.crt
# # Clé serveur
key /etc/openvpn/keys/myserver.key
# Paramètres cryptage
dh /etc/openvpn/keys/dh2048.pem
# Pour que les clients puissent se voir entre eux
client-to-client
remote-cert-tls server
# Ping toutes les 5 secondes, si pas de réponse au bout de 30 secondes, le tunnel est coupé
keepalive 5 30
# Compression pour accélérer le trafic
# comp-lzo
# Username and Password authentication.
verify-client-cert require
script-security 2
auth-user-pass-verify /etc/openvpn/server-passwords-check.sh via-file
#plugin /usr/lib/openvpn/openvpn-auth-pam.so login
persist-key
persist-tun
## Chemin du fichier de log
log-append /var/log/openvpn/server.log
# Niveau détail log de 0 à 9
verb 5
Code: Select all
client
dev tap0
proto tcp
remote x.x.154.82 443
persist-key
persist-tun
# SSL/TLS parms.
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client.crt
key /etc/openvpn/keys/client.key
remote-cert-tls server
# Paramètres cryptage
dh /etc/openvpn/keys/dh2048.pem
# cipher AES-256-CBC
auth-user-pass /etc/openvpn/client-password
# # Enable compression on the VPN link.
# comp-lzo
## Chemin du fichier de log
log-append /var/log/openvpn/client.log
# Set log file verbosity.
verb 5
Thanks a lot in advance!