All of a sudden today our clients can't connect.
We run several Ubuntu servers with OpenVPN and if this is going to happen to all of them this is a problem.
Have tried with older and new client side software, similar errors. Running server 2.8.6, just updated to 2.8.7 during troubleshooting, no change. Why/How would this happen. Server was built 3 months ago, running on Ubuntu 20.04 LTS
Client 3.2.1
There was an error attempting to connect to the selected server.
Error Message: OpenSSLContext::SSL::read_cleartext:
BIO_read failed, cap=2576 status=-1:
error:1416F086:SSL
routines:tls_process_server_certificate:
certificate verify failed
Client 2.7.1.110
Server certificate verification failed:
mbed TLS: SSL read error : X509 -
Certificate verification failed, e.g.
CRL, CA or signature check failed
somebody please help!
Open VPN Cert Errors
-
aninterestingconcept
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Jul 24, 2020 6:17 pm
-
aninterestingconcept
- OpenVpn Newbie
- Posts: 5
- Joined: Fri Jul 24, 2020 6:17 pm
Re: Open VPN Cert Errors
We ended up doing the init procedure as well. I see someone had a post a few days after ours about the same issue.
viewtopic.php?f=24&t=30809
We agree, it is annoying that the console does not show the internal CA's expiration date. We had imported this VPN config from a previous version so we didn't have to reconfigure ever single end user. Not all users are computer savvy. Also with the new client V3 we can't push the same install remotely to clients on a whim without having to touch each user to import the .ovpn file. The older v2 msi works great for pushing to clients and just working.
We are internally working on a script/command to check the internal certs expiration to track for our clients. It would be better if OpenVPN support had an actual step by step procedure in place to help, as the previous linked post stated, not all of us are experts in this area and rebuilding an entire server or having to touch multiple endpoints after fixing is not ideal.
viewtopic.php?f=24&t=30809
We agree, it is annoying that the console does not show the internal CA's expiration date. We had imported this VPN config from a previous version so we didn't have to reconfigure ever single end user. Not all users are computer savvy. Also with the new client V3 we can't push the same install remotely to clients on a whim without having to touch each user to import the .ovpn file. The older v2 msi works great for pushing to clients and just working.
We are internally working on a script/command to check the internal certs expiration to track for our clients. It would be better if OpenVPN support had an actual step by step procedure in place to help, as the previous linked post stated, not all of us are experts in this area and rebuilding an entire server or having to touch multiple endpoints after fixing is not ideal.