Open VPN Cert Errors

Post Reply
aninterestingconcept
OpenVpn Newbie
Posts: 5
Joined: Fri Jul 24, 2020 6:17 pm

Open VPN Cert Errors

Post by aninterestingconcept » Sat Dec 26, 2020 7:33 pm

All of a sudden today our clients can't connect.

We run several Ubuntu servers with OpenVPN and if this is going to happen to all of them this is a problem.
Have tried with older and new client side software, similar errors. Running server 2.8.6, just updated to 2.8.7 during troubleshooting, no change. Why/How would this happen. Server was built 3 months ago, running on Ubuntu 20.04 LTS

Client 3.2.1
There was an error attempting to connect to the selected server.
Error Message: OpenSSLContext::SSL::read_cleartext:
BIO_read failed, cap=2576 status=-1:
error:1416F086:SSL
routines:tls_process_server_certificate:
certificate verify failed

Client 2.7.1.110
Server certificate verification failed:
mbed TLS: SSL read error : X509 -
Certificate verification failed, e.g.
CRL, CA or signature check failed

somebody please help!

aninterestingconcept
OpenVpn Newbie
Posts: 5
Joined: Fri Jul 24, 2020 6:17 pm

Re: Open VPN Cert Errors

Post by aninterestingconcept » Mon Dec 28, 2020 4:41 pm

We ended up doing the init procedure as well. I see someone had a post a few days after ours about the same issue.
viewtopic.php?f=24&t=30809

We agree, it is annoying that the console does not show the internal CA's expiration date. We had imported this VPN config from a previous version so we didn't have to reconfigure ever single end user. Not all users are computer savvy. Also with the new client V3 we can't push the same install remotely to clients on a whim without having to touch each user to import the .ovpn file. The older v2 msi works great for pushing to clients and just working.

We are internally working on a script/command to check the internal certs expiration to track for our clients. It would be better if OpenVPN support had an actual step by step procedure in place to help, as the previous linked post stated, not all of us are experts in this area and rebuilding an entire server or having to touch multiple endpoints after fixing is not ideal.

Post Reply