Official client software for OpenVPN Access Server and OpenVPN Cloud.
-
alteredstate
- OpenVpn Newbie
- Posts: 6
- Joined: Fri Mar 02, 2018 1:55 am
Post
by alteredstate » Fri Mar 02, 2018 2:16 am
Hello Everyone,
I was attempting to setup OpenVPN Connect (OpenVPN 1.2.9 build 0 (iOS 64-bit)) on my iPad (iOS 11.2.6) but I'm receiving this error after downloading the *.ovpn file from pfSense and installing it in OpenVPN Connect:
Code: Select all
EVENT: CORE_ERROR mbed TLS: error parsing ca certificate: X509 - CRT/CRL/CSR has an unsupported version number [ERR]
I've been able to download the *.ovpn file and get it to work with my Android in the past so I know it works. Also, OpenVPN Connect does not appear to try and connect to my OpenVPN Server before throwing this error but my OpenVPN Server version on pfSense is: OpenVPN 2.4.4 amd64-portbld-freebsd11.1. Anyone have an idea of how I could correct this issue?
-
alteredstate
- OpenVpn Newbie
- Posts: 6
- Joined: Fri Mar 02, 2018 1:55 am
Post
by alteredstate » Mon Apr 02, 2018 4:57 pm
Anyone have an idea as to what is causing this error?
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Mon Apr 02, 2018 6:00 pm
alteredstate wrote: ↑Fri Mar 02, 2018 2:16 am
I'm receiving this error after downloading the *.ovpn file
from pfSense and installing it in OpenVPN Connect:
Code: Select all
EVENT: CORE_ERROR mbed TLS: error parsing ca certificate: X509 - CRT/CRL/CSR has an unsupported version number [ERR]
You need to know
how pfSense created the certificate.
-
alteredstate
- OpenVpn Newbie
- Posts: 6
- Joined: Fri Mar 02, 2018 1:55 am
Post
by alteredstate » Mon Apr 02, 2018 6:12 pm
TinCanTech wrote: ↑Mon Apr 02, 2018 6:00 pm
alteredstate wrote: ↑Fri Mar 02, 2018 2:16 am
I'm receiving this error after downloading the *.ovpn file
from pfSense and installing it in OpenVPN Connect:
Code: Select all
EVENT: CORE_ERROR mbed TLS: error parsing ca certificate: X509 - CRT/CRL/CSR has an unsupported version number [ERR]
You need to know
how pfSense created the certificate.
Do you know where I would find this information at? I created the certificate through the webgui...and in the past it has worked just fine.
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Mon Apr 02, 2018 8:25 pm
alteredstate wrote: ↑Mon Apr 02, 2018 6:12 pm
Do you know where I would find this information at?
Perhaps the pfSense manual or forum ..
alteredstate wrote: ↑Mon Apr 02, 2018 6:12 pm
X509 - CRT/CRL/CSR has an unsupported
version number [ERR]
This is what a valid certificate looks like:
Code: Select all
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e9:5a:70:40:5c:a2:ef:0a:e2:09:54:3d:81:12:33:a2
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=Easy-RSA CA
Validity
Not Before: Apr 2 19:13:23 2018 GMT
Not After : Mar 30 19:13:23 2028 GMT
Version number 3 seems to be valid .. what version number is yours ?
-
alteredstate
- OpenVpn Newbie
- Posts: 6
- Joined: Fri Mar 02, 2018 1:55 am
Post
by alteredstate » Tue Apr 03, 2018 12:12 am
TinCanTech wrote: ↑Mon Apr 02, 2018 8:25 pm
alteredstate wrote: ↑Mon Apr 02, 2018 6:12 pm
Do you know where I would find this information at?
Perhaps the pfSense manual or forum ..
alteredstate wrote: ↑Mon Apr 02, 2018 6:12 pm
X509 - CRT/CRL/CSR has an unsupported
version number [ERR]
This is what a valid certificate looks like:
Code: Select all
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e9:5a:70:40:5c:a2:ef:0a:e2:09:54:3d:81:12:33:a2
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=Easy-RSA CA
Validity
Not Before: Apr 2 19:13:23 2018 GMT
Not After : Mar 30 19:13:23 2028 GMT
Version number 3 seems to be valid .. what version number is yours ?
Forgive my ignorance but exactly what file are you getting that information from for OpenVPN? Here's what I have in /etc/openvpn on my pfSense box:
Code: Select all
[2.4.2-RELEASE][root@pfSense]/var/etc/openvpn:
client1.ca
client1.cert
client1.conf
client1.interface
client1.key
client1.sock
client1.tls-auth
server2.ca
server2.cert
server2.conf
server2.interface
server2.key
server2.sock
server2.tls-auth
I also tried:
Code: Select all
openssl pkcs12 -info -in ~/Downloads/OpenVPN+User+Cert.p12
I downloaded the:
OpenVPN+User+Cert.p12 file from the pfSense OpenVPN Client Export section but neither that or the previous list of files showed anything about version information like in your example.
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Tue Apr 03, 2018 12:29 am
alteredstate wrote: ↑Tue Apr 03, 2018 12:12 am
what file are you getting that information from
a
.cert file should have the same info ..
-
alteredstate
- OpenVpn Newbie
- Posts: 6
- Joined: Fri Mar 02, 2018 1:55 am
Post
by alteredstate » Tue Apr 03, 2018 4:56 pm
TinCanTech wrote: ↑Tue Apr 03, 2018 12:29 am
alteredstate wrote: ↑Tue Apr 03, 2018 12:12 am
what file are you getting that information from
a
.cert file should have the same info ..
Code: Select all
[2.4.2-RELEASE][root@pfSense]/var/etc/openvpn: find / -name "*.cert"
/var/etc/openvpn/server2.cert
/var/etc/openvpn/client1.cert
Those were the files I previously mentioned that did not contain any version information.
Code: Select all
[2.4.2-RELEASE][root@pfSense]/var/etc/openvpn: find / -name "*.crt"
/usr/local/share/certs/ca-root-nss.crt
/var/etc/cert.crt
ca-root.nss.crt is just the default bundle of X.509 certificates and
cert.crt has no version information. I suppose I should take this issue to the pfSense forum. Thank you for the help though!
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Tue Apr 03, 2018 5:40 pm
You can always try opening the cert on the client that uses it ..
-
alteredstate
- OpenVpn Newbie
- Posts: 6
- Joined: Fri Mar 02, 2018 1:55 am
Post
by alteredstate » Tue Apr 03, 2018 8:44 pm
TinCanTech wrote: ↑Tue Apr 03, 2018 5:40 pm
You can always try opening the cert on the client that uses it ..
These are all the OpenVPN client files you can download from the Client Export Utility (minus the Windows *.exe install files). The Client Export Utility is an installable package from the pfSense repository. I've been able to use one of these files and install it on my OpenVPN client to get it to work in the past. None of the files contain anything regarding version information.
Code: Select all
marcus@macbookpro:~/Downloads$ tree ./OpenVPN\ User/
./OpenVPN User/
├── pfSense-UDP4-1194-marcus
│ ├── pfSense-UDP4-1194-marcus.ovpn
│ ├── pfSense-UDP4-1194-marcus.p12
│ └── pfSense-UDP4-1194-marcus-tls.key
├── pfSense-UDP4-1194-marcus-android-config.ovpn
├── pfSense-UDP4-1194-marcus-config.ovpn
├── pfSense-UDP4-1194-marcus-ios-config.ovpn
├── pfSense-UDP4-1194-marcus-viscosity-config.ovpn
└── Viscosity.visc
├── ca.crt
├── cert.crt
├── config.conf
├── key.key
└── ta.key