Not able to connect with remote-cert-tls server but it's suggested... why ?

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
Elrick91
OpenVpn Newbie
Posts: 6
Joined: Sun Apr 11, 2021 7:51 am

Not able to connect with remote-cert-tls server but it's suggested... why ?

Post by Elrick91 » Mon Apr 19, 2021 7:17 pm

Hi to all,

I have installer OpenVPN Access Server successfully on Docker.
I try to optimise ovpn configuration file with the error message displayed.

During connection, i see this error message :

WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.

So i just replace ns-cert-type server BY remote-cert-tls server and i have the following error :

[olog]Mon Apr 19 20:50:01 2021 Certificate does not have key usage extension
Mon Apr 19 20:50:01 2021 VERIFY KU ERROR
Mon Apr 19 20:50:01 2021 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Mon Apr 19 20:50:01 2021 TLS_ERROR: BIO read tls_read_plaintext error
Mon Apr 19 20:50:01 2021 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 19 20:50:01 2021 TLS Error: TLS handshake failed[/olog]


Someone can tell me how to fix it please ?

The ovpn file below :

Code: Select all

cipher AES-256-CBC
setenv FORWARD_COMPATIBLE 1
client
proto udp
nobind
remote 1XX.XXX.XXX.XXX
port XXXXXXXX
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 0
rcvbuf 0
auth-user-pass
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
<ca>
.............
</ca>
<cert>
.............
</cert>
<key>
............
</key>
key-direction 1
<tls-auth>
............
</tls-auth>
cipher AES-256-GCM
## -----BEGIN RSA SIGNATURE-----
## -----END CERTIFICATE-----

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Not able to connect with remote-cert-tls server but it's suggested... why ?

Post by openvpn_inc » Wed Apr 28, 2021 3:14 pm

Hi There,

We advise you not to try and remove or replace `ns-cert-type verification` because that would mean you disable all verification which is worse than having some verification, that is why this is included by default even if it is tag as deprecated. This option, by the way, cannot be replaced with something better until our OpenVPN access server 2.9 with certificate revamping has been completed. The better server certificate verification methods can't be used on the certificates that access server generates and uses at this time. So `ns-cert-type` is the correct way of server verification now, disabling that means no server verification method which is worse than using an older method. Second, we advise you to just disregard the deprecated message you are getting. The product is functioning as it should be. We use the ns-cert-type server currently, and it does the same thing.

Also, just to let you know, we don’t officially support running Access Server inside a container: doesn’t matter it is OpenVZ, Docker or LXD.

Elrick91 wrote:
Mon Apr 19, 2021 7:17 pm
Hi to all,

I have installer OpenVPN Access Server successfully on Docker.
I try to optimise ovpn configuration file with the error message displayed.

During connection, i see this error message :

WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.

So i just replace ns-cert-type server BY remote-cert-tls server and i have the following error :

[olog]Mon Apr 19 20:50:01 2021 Certificate does not have key usage extension
Mon Apr 19 20:50:01 2021 VERIFY KU ERROR
Mon Apr 19 20:50:01 2021 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Mon Apr 19 20:50:01 2021 TLS_ERROR: BIO read tls_read_plaintext error
Mon Apr 19 20:50:01 2021 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 19 20:50:01 2021 TLS Error: TLS handshake failed[/olog]


Someone can tell me how to fix it please ?

The ovpn file below :

Code: Select all

cipher AES-256-CBC
setenv FORWARD_COMPATIBLE 1
client
proto udp
nobind
remote 1XX.XXX.XXX.XXX
port XXXXXXXX
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 0
rcvbuf 0
auth-user-pass
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
<ca>
.............
</ca>
<cert>
.............
</cert>
<key>
............
</key>
key-direction 1
<tls-auth>
............
</tls-auth>
cipher AES-256-GCM
## -----BEGIN RSA SIGNATURE-----
## -----END CERTIFICATE-----
Regards,
Crowley
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply