I installed the latest openvpn from source and downloaded easyrsa3 from github.
I created my pki structure and used the build-server-full to build by server cert.
I ran build-server-full server nopass which worked fine.
I also created a client cert (build-client-full testclient nopass) which worked fine.
When I try to use the certs to connect I am getting this error
VERIFY nsCertType ERROR: /CN=server require nsCertType=SERVER and then I see SSL3_GET_SERVER_CERTIFICATE: certificate verify failed.
I know the problem is the PKIs. What it the best approach to correcting this?
[Solved] Cert Errors Openvpn 2.3.4 easyrsa3
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 2
- Joined: Wed May 21, 2014 1:02 pm
[Solved] Cert Errors Openvpn 2.3.4 easyrsa3
Last edited by debbie10t on Sat Sep 06, 2014 4:37 pm, edited 1 time in total.
Reason: Title Clarity
Reason: Title Clarity
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Sep 01, 2014 1:16 pm
Re: Cert Errors Openvpn 2.3.4
I have same problem
(I omitted some values and replaced them with ...)
Server config:
client config:
Log on server:
Log on client:
Both computers are running NixOS linux x86_64, OpenVPN 2.3.4, and keys were generated by easyrsa3 (this might be the cause).
The server key contains following X509v3 extensions:
(I omitted some values and replaced them with ...)
Server config:
Code: Select all
port ...
proto udp
dev tun0
ca ...
cert ...
key ...
dh ...
tls-auth ... 0
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
user ovpn_serv
group ovpn_serv
verb 5
Code: Select all
client
dev tun
proto udp
remote ... ...
remote ... ...
resolv-retry infinite
nobind
user openvpn
group openvpn
persist-key
persist-tun
ca ...
cert ...
key ...
tls-auth ... 1
ns-cert-type server
verb 3
Code: Select all
Sep 01 15:19:46 server openvpn[1745]: Mon Sep 1 15:19:46 2014 us=22521 147.251.45.226:53630 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 01 15:20:11 server openvpn[1745]: Mon Sep 1 15:20:11 2014 us=343704 147.251.45.226:47053 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 01 15:20:11 server openvpn[1745]: Mon Sep 1 15:20:11 2014 us=343775 147.251.45.226:47053 TLS Error: TLS handshake failed
Sep 01 15:20:11 server openvpn[1745]: Mon Sep 1 15:20:11 2014 us=343959 147.251.45.226:47053 SIGUSR1[soft,tls-error] received, client-instance restarting
Sep 01 15:20:15 server openvpn[1745]: Mon Sep 1 15:20:15 2014 us=905218 MULTI: multi_create_instance called
Sep 01 15:20:15 server openvpn[1745]: Mon Sep 1 15:20:15 2014 us=905333 147.251.45.226:43971 Re-using SSL/TLS context
Sep 01 15:20:15 server openvpn[1745]: Mon Sep 1 15:20:15 2014 us=905489 147.251.45.226:43971 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sep 01 15:20:15 server openvpn[1745]: Mon Sep 1 15:20:15 2014 us=905522 147.251.45.226:43971 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Sep 01 15:20:15 server openvpn[1745]: Mon Sep 1 15:20:15 2014 us=905588 147.251.45.226:43971 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sep 01 15:20:15 server openvpn[1745]: Mon Sep 1 15:20:15 2014 us=905609 147.251.45.226:43971 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sep 01 15:20:15 server openvpn[1745]: Mon Sep 1 15:20:15 2014 us=905648 147.251.45.226:43971 Local Options hash (VER=V4): 'a2e2498c'
Sep 01 15:20:15 server openvpn[1745]: Mon Sep 1 15:20:15 2014 us=905683 147.251.45.226:43971 Expected Remote Options hash (VER=V4): '70f5b3af'
Sep 01 15:20:15 server openvpn[1745]: RMon Sep 1 15:20:15 2014 us=905747 147.251.45.226:43971 TLS: Initial packet from [AF_INET]147.251.45.226:43971, sid=af1709c5 32db0c3d
Sep 01 15:20:42 server openvpn[1745]: WRRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWWWWWWWWWWMon Sep 1 15:20:42 2014 us=134582 MULTI: multi_create_instance called
Sep 01 15:20:42 server openvpn[1745]: Mon Sep 1 15:20:42 2014 us=134703 147.251.45.226:49238 Re-using SSL/TLS context
Sep 01 15:20:42 server openvpn[1745]: Mon Sep 1 15:20:42 2014 us=134861 147.251.45.226:49238 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sep 01 15:20:42 server openvpn[1745]: Mon Sep 1 15:20:42 2014 us=134895 147.251.45.226:49238 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Sep 01 15:20:42 server openvpn[1745]: Mon Sep 1 15:20:42 2014 us=134991 147.251.45.226:49238 Local Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 0,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sep 01 15:20:42 server openvpn[1745]: Mon Sep 1 15:20:42 2014 us=135016 147.251.45.226:49238 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1541,tun-mtu 1500,proto UDPv4,keydir 1,cipher BF-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sep 01 15:20:42 server openvpn[1745]: Mon Sep 1 15:20:42 2014 us=135055 147.251.45.226:49238 Local Options hash (VER=V4): 'a2e2498c'
Sep 01 15:20:42 server openvpn[1745]: Mon Sep 1 15:20:42 2014 us=135090 147.251.45.226:49238 Expected Remote Options hash (VER=V4): '70f5b3af'
Sep 01 15:20:42 server openvpn[1745]: RMon Sep 1 15:20:42 2014 us=135153 147.251.45.226:49238 TLS: Initial packet from [AF_INET]147.251.45.226:49238, sid=0cb1cf07 7c2b36a5
Sep 01 15:21:15 server openvpn[1745]: WRRWRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWWWWWWWWWWWWWWWWWWWWMon Sep 1 15:21:15 2014 us=915284 147.251.45.226:43971 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Sep 01 15:21:15 server openvpn[1745]: Mon Sep 1 15:21:15 2014 us=915355 147.251.45.226:43971 TLS Error: TLS handshake failed
Code: Select all
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 UDPv4 link local: [undef]
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 UDPv4 link remote: [AF_INET] <...>
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 TLS: Initial packet from [AF_INET] <...>, sid=f47688f7 8e130a59
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 VERIFY OK: depth=1, CN=Easy-RSA CA
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 VERIFY nsCertType ERROR: CN=server, require nsCertType=SERVER
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 TLS Error: TLS object -> incoming plaintext read error
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 TLS Error: TLS handshake failed
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 SIGUSR1[soft,tls-error] received, process restarting
Sep 01 15:12:43 x220 openvpn[28800]: Mon Sep 1 15:12:43 2014 Restart pause, 2 second(s)
The server key contains following X509v3 extensions:
Code: Select all
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
<...>
X509v3 Authority Key Identifier:
keyid:<...>
DirName:/CN=Easy-RSA CA
serial:<...>
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Sep 01, 2014 1:16 pm
Re: Cert Errors Openvpn 2.3.4 [solved]
Solved: It seems that is deprecated and should be used for certificates generated with easyrsa3. They list it in manual as a way to go for openvpn 2.1+ http://openvpn.net/index.php/open-sourc ... .html#mitm
Code: Select all
ns-cert-type server
Code: Select all
remote-cert-tls server