[Solved] Cert Errors Openvpn 2.3.4 easyrsa3

Support forum for Easy-RSA certificate management suite.
Locked
cswcoo
OpenVpn Newbie
Posts: 2
Joined: Wed May 21, 2014 1:02 pm

[Solved] Cert Errors Openvpn 2.3.4 easyrsa3

Post by cswcoo » Wed May 21, 2014 1:09 pm

I installed the latest openvpn from source and downloaded easyrsa3 from github.

I created my pki structure and used the build-server-full to build by server cert.

I ran build-server-full server nopass which worked fine.

I also created a client cert (build-client-full testclient nopass) which worked fine.

When I try to use the certs to connect I am getting this error

VERIFY nsCertType ERROR: /CN=server require nsCertType=SERVER and then I see SSL3_GET_SERVER_CERTIFICATE: certificate verify failed.

I know the problem is the PKIs. What it the best approach to correcting this?
Last edited by debbie10t on Sat Sep 06, 2014 4:37 pm, edited 1 time in total.
Reason: Title Clarity

vlstill
OpenVpn Newbie
Posts: 2
Joined: Mon Sep 01, 2014 1:16 pm

Re: Cert Errors Openvpn 2.3.4

Post by vlstill » Mon Sep 01, 2014 1:29 pm

I have same problem
(I omitted some values and replaced them with ...)

Server config:

Code: Select all

          port ...
          proto udp
          dev tun0

          ca    ...
          cert  ...
          key   ...
          dh    ...
          tls-auth ... 0

          server 10.8.0.0 255.255.255.0
          ifconfig-pool-persist ipp.txt
          client-to-client
          keepalive 10 120

          user  ovpn_serv
          group ovpn_serv

          verb 5
client config:

Code: Select all

            client
            dev tun
            proto udp

            remote ... ...
            remote ... ...

            resolv-retry infinite
            nobind
            user openvpn
            group openvpn

            persist-key
            persist-tun

            ca ...
            cert ...
            key ...
            tls-auth ... 1

            ns-cert-type server
            verb 3
Log on server:

Code: Select all

Sep 01 15:19:46 server openvpn[1745]: Mon Sep  1 15:19:46 2014 us=22521 147.251.45.226:53630 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 01 15:20:11 server openvpn[1745]: Mon Sep  1 15:20:11 2014 us=343704 147.251.45.226:47053 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 01 15:20:11 server openvpn[1745]: Mon Sep  1 15:20:11 2014 us=343775 147.251.45.226:47053 TLS Error: TLS handshake failed
Sep 01 15:20:11 server openvpn[1745]: Mon Sep  1 15:20:11 2014 us=343959 147.251.45.226:47053 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 01 15:20:15 server openvpn[1745]: Mon Sep  1 15:20:15 2014 us=905218 MULTI: multi_create_instance called
Sep 01 15:20:15 server openvpn[1745]: Mon Sep  1 15:20:15 2014 us=905333 147.251.45.226:43971 Re-using SSL/TLS context
Sep 01 15:20:15 server openvpn[1745]: Mon Sep  1 15:20:15 2014 us=905489 147.251.45.226:43971 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sep 01 15:20:15 server openvpn[1745]: Mon Sep  1 15:20:15 2014 us=905522 147.251.45.226:43971 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Sep 01 15:20:15 server openvpn[1745]: Mon Sep  1 15:20:15 2014 us=905588 147.251.45.226:43971 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sep 01 15:20:15 server openvpn[1745]: Mon Sep  1 15:20:15 2014 us=905609 147.251.45.226:43971 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sep 01 15:20:15 server openvpn[1745]: Mon Sep  1 15:20:15 2014 us=905648 147.251.45.226:43971 Local Options hash (VER=V4): 'a2e2498c'
Sep 01 15:20:15 server openvpn[1745]: Mon Sep  1 15:20:15 2014 us=905683 147.251.45.226:43971 Expected Remote Options hash (VER=V4): '70f5b3af'
Sep 01 15:20:15 server openvpn[1745]: RMon Sep  1 15:20:15 2014 us=905747 147.251.45.226:43971 TLS: Initial packet from [AF_INET]147.251.45.226:43971, sid=af1709c5 32db0c3d
Sep 01 15:20:42 server openvpn[1745]: WRRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWWWWWWWWWWMon Sep  1 15:20:42 2014 us=134582 MULTI: multi_create_instance called
Sep 01 15:20:42 server openvpn[1745]: Mon Sep  1 15:20:42 2014 us=134703 147.251.45.226:49238 Re-using SSL/TLS context
Sep 01 15:20:42 server openvpn[1745]: Mon Sep  1 15:20:42 2014 us=134861 147.251.45.226:49238 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sep 01 15:20:42 server openvpn[1745]: Mon Sep  1 15:20:42 2014 us=134895 147.251.45.226:49238 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Sep 01 15:20:42 server openvpn[1745]: Mon Sep  1 15:20:42 2014 us=134991 147.251.45.226:49238 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sep 01 15:20:42 server openvpn[1745]: Mon Sep  1 15:20:42 2014 us=135016 147.251.45.226:49238 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sep 01 15:20:42 server openvpn[1745]: Mon Sep  1 15:20:42 2014 us=135055 147.251.45.226:49238 Local Options hash (VER=V4): 'a2e2498c'
Sep 01 15:20:42 server openvpn[1745]: Mon Sep  1 15:20:42 2014 us=135090 147.251.45.226:49238 Expected Remote Options hash (VER=V4): '70f5b3af'
Sep 01 15:20:42 server openvpn[1745]: RMon Sep  1 15:20:42 2014 us=135153 147.251.45.226:49238 TLS: Initial packet from [AF_INET]147.251.45.226:49238, sid=0cb1cf07 7c2b36a5
Sep 01 15:21:15 server openvpn[1745]: WRRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWWWWWWWWWWWWWWWWWMon Sep  1 15:21:15 2014 us=915284 147.251.45.226:43971 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 01 15:21:15 server openvpn[1745]: Mon Sep  1 15:21:15 2014 us=915355 147.251.45.226:43971 TLS Error: TLS handshake failed
Log on client:

Code: Select all

Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep  1 15:12:43 2014 UDPv4 link local: [undef]
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep  1 15:12:43 2014 UDPv4 link remote: [AF_INET] <...>
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep  1 15:12:43 2014 TLS: Initial packet from [AF_INET] <...>, sid=f47688f7 8e130a59
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep  1 15:12:43 2014 VERIFY OK: depth=1, CN=Easy-RSA CA
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep  1 15:12:43 2014 VERIFY nsCertType ERROR: CN=server, require nsCertType=SERVER
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep  1 15:12:43 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep  1 15:12:43 2014 TLS Error: TLS object -> incoming plaintext read error
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep  1 15:12:43 2014 TLS Error: TLS handshake failed
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep  1 15:12:43 2014 SIGUSR1[soft,tls-error] received, process restarting
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep  1 15:12:43 2014 Restart pause, 2 second(s)
Both computers are running NixOS linux x86_64, OpenVPN 2.3.4, and keys were generated by easyrsa3 (this might be the cause).
The server key contains following X509v3 extensions:

Code: Select all

        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                <...>
            X509v3 Authority Key Identifier: 
                keyid:<...>
                DirName:/CN=Easy-RSA CA
                serial:<...>

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment

vlstill
OpenVpn Newbie
Posts: 2
Joined: Mon Sep 01, 2014 1:16 pm

Re: Cert Errors Openvpn 2.3.4 [solved]

Post by vlstill » Mon Sep 01, 2014 2:07 pm

Solved: It seems that

Code: Select all

ns-cert-type server
is deprecated and

Code: Select all

remote-cert-tls server
should be used for certificates generated with easyrsa3. They list it in manual as a way to go for openvpn 2.1+ http://openvpn.net/index.php/open-sourc ... .html#mitm

Locked