Error message: Peer certificate verification failure
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu Dec 09, 2021 9:32 am
Re: Error message: Peer certificate verification failure
Can we have an update from OpenVPN regarding this issue with OpenVPN Connect client?
-
- OpenVpn Newbie
- Posts: 1
- Joined: Sun Jan 23, 2022 9:12 pm
Re: Error message: Peer certificate verification failure
Over 12000 views on this thread.
Same issue here, reproduceable with the same versions outlined above.
Is there an increase or change in certificate algorithm requirements which means a cert which works in previous versions is no longer strong enough in the latest version?
Same issue here, reproduceable with the same versions outlined above.
Is there an increase or change in certificate algorithm requirements which means a cert which works in previous versions is no longer strong enough in the latest version?
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Error message: Peer certificate verification failure
Hi Hazz,
Sorry, no. It does seem that there is some issue for OpenVPN Connect and verification of certificates with either of these:
- Azure Point-to-Site
- Synology NAS
AFAIK no one in this thread has yet opened a support ticket with the details. We need that. We need logs, ideally from Connect client AND the server. If I am not correct, and someone here has opened a ticket, please reply with the ticket number, so I can look it up and reopen if necessary.
Please use the link in my signature to provide us the information to try to figure this out. I can also suggest for Azure and Synology users to open support tickets with those companies.
That indeed sounds like a plausible guess. Perhaps if you could get us openssl(1) x509(1) information about the server, client and CA certificates, we could check on that. If you don't know how to do that, attach those certificates (and DO NOT attach private keys) to a Support ticket. Certificates are safe to post; they do not require secure handling.snwtoy wrote: ↑Tue Jan 25, 2022 2:04 amOver 12000 views on this thread.
Same issue here, reproduceable with the same versions outlined above.
Is there an increase or change in certificate algorithm requirements which means a cert which works in previous versions is no longer strong enough in the latest version?
regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
- OpenVpn Newbie
- Posts: 1
- Joined: Thu Jan 27, 2022 12:13 pm
Re: Error message: Peer certificate verification failure
In my case the problem was an expired self-signed certificate on the Synology side.
The cert expired on January 24th. I don't know if this cert gets shipped from Synology or if it is created upon installing DSM (hence I don't know if it expires for everybody on that date or just me). In either way, it is NOT renewed automatically.
I got exactly the same error message when the cert expired: "Peer certificate verification failure".
The workaround is pretty easy, create a new self-signed cert, restart the Synology VPN server, remove the old config profile from all your clients, download the config profile from the Synology VPN server, and push it to the clients. Solved my problem.
The cert expired on January 24th. I don't know if this cert gets shipped from Synology or if it is created upon installing DSM (hence I don't know if it expires for everybody on that date or just me). In either way, it is NOT renewed automatically.
I got exactly the same error message when the cert expired: "Peer certificate verification failure".
The workaround is pretty easy, create a new self-signed cert, restart the Synology VPN server, remove the old config profile from all your clients, download the config profile from the Synology VPN server, and push it to the clients. Solved my problem.
-
- OpenVpn Newbie
- Posts: 3
- Joined: Thu Dec 09, 2021 9:32 am
Re: Error message: Peer certificate verification failure
Thanks for the reply. I will gather the logs together and submit a ticket. Will update thread with ticket number too.openvpn_inc wrote: ↑Wed Jan 26, 2022 1:10 amHi Hazz,
Sorry, no. It does seem that there is some issue for OpenVPN Connect and verification of certificates with either of these:Presumably each of those are running some variation of Community edition OpenVPN server. We don't support and maintain those, so we don't have the ability to test this.
- Azure Point-to-Site
- Synology NAS
AFAIK no one in this thread has yet opened a support ticket with the details. We need that. We need logs, ideally from Connect client AND the server. If I am not correct, and someone here has opened a ticket, please reply with the ticket number, so I can look it up and reopen if necessary.
Please use the link in my signature to provide us the information to try to figure this out. I can also suggest for Azure and Synology users to open support tickets with those companies.
That indeed sounds like a plausible guess. Perhaps if you could get us openssl(1) x509(1) information about the server, client and CA certificates, we could check on that. If you don't know how to do that, attach those certificates (and DO NOT attach private keys) to a Support ticket. Certificates are safe to post; they do not require secure handling.snwtoy wrote: ↑Tue Jan 25, 2022 2:04 amOver 12000 views on this thread.
Same issue here, reproduceable with the same versions outlined above.
Is there an increase or change in certificate algorithm requirements which means a cert which works in previous versions is no longer strong enough in the latest version?
regards, rob0
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Feb 01, 2022 7:33 pm
Re: Error message: Peer certificate verification failure
I'm also facing this issue when trying to connect to a Synology NAS.
Using the iOS client works fine, so it must be the Windows client that has a bug?
Looking at both logs I see this on the iOS client:
But I see this on the Windows client:
Any noticable differences that could explain the problem?
I tried different old versions and managed to download: openvpn-connect-3.1.3.713_signed.msi
This version (3.1.3.713) works fine!
This is the log of version 3.1.3.713 on Windows:
Using the iOS client works fine, so it must be the Windows client that has a bug?
Looking at both logs I see this on the iOS client:
Code: Select all
IV_VER=3.git::58b92569
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=net.openvpn.connect.ios_3.2.3-3760
IV_SSO=openurl
IV_BS64DL=1
Code: Select all
IV_VER=3.git::d3f8b18b
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:BF-CBC
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OCWindows_3.3.4-2600
IV_SSO=webauth,openurl,crtext
IV_BS64DL=1
I tried different old versions and managed to download: openvpn-connect-3.1.3.713_signed.msi
This version (3.1.3.713) works fine!
This is the log of version 3.1.3.713 on Windows:
Code: Select all
IV_GUI_VER=OCmacOS_3.1.3-713
IV_VER=3.git::f225fcd0
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_BS64DL=1
-
- OpenVpn Newbie
- Posts: 1
- Joined: Wed Feb 23, 2022 9:26 pm
Re: Error message: Peer certificate verification failure
Same here. If I use v3.3, it doesn't work (unless I remove the line starting with "verify-x509-name ..."
But if I use v2.7 or v3.2, then I don't have to remove anything in the config and it'll work fine.
But if I use v2.7 or v3.2, then I don't have to remove anything in the config and it'll work fine.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Nov 07, 2013 7:06 pm
Re: Error message: Peer certificate verification failure
FYI,
I found that I did not have to remove the verify line, but instead needed to remove or replace the single-quotation marks.
Original Line: verify-x509-name 'serveraddress.synology.me' name
Working Line:
verify-x509-name serveraddress.synology.me name
OR
verify-x509-name "serveraddress.synology.me" name
Dream
I found that I did not have to remove the verify line, but instead needed to remove or replace the single-quotation marks.
Original Line: verify-x509-name 'serveraddress.synology.me' name
Working Line:
verify-x509-name serveraddress.synology.me name
OR
verify-x509-name "serveraddress.synology.me" name
Dream
-
- OpenVpn Newbie
- Posts: 1
- Joined: Wed May 25, 2022 11:17 pm
Re: Error message: Peer certificate verification failure
As a Mac user, it seems that OpenVPN Connect version 3.2.7 is my best hope at this point. I can't find a (reputable) link to that version anywhere on the web or openvpn.net. Does someone have a link they could provide?
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sat Jun 04, 2022 10:04 am
Re: Error message: Peer certificate verification failure
Thank you DreamCypher!! This did the trick for me too!DreamCypher wrote: ↑Fri May 13, 2022 9:27 pmI found that I did not have to remove the verify line, but instead needed to remove or replace the single-quotation marks.
In my case the .ovpn profile comes generated from Azure VPN Gateway, with single quotes around the remote name. Removing those single quotes as per your suggestion solved the issue!
-
- OpenVpn Newbie
- Posts: 2
- Joined: Sat Jun 04, 2022 10:04 am
Re: Error message: Peer certificate verification failure
And a note to OpenVPN staff here who keep insisting this must be an issue with the configuration: Not sure what the config profile rules are, but it definitely seems like a bug having been introduced in the client, whereby single quotes around the remote name are being included in the name rather than trimmed away during parsing.
-
- OpenVpn Newbie
- Posts: 1
- Joined: Fri Aug 12, 2022 8:14 pm
Re: Error message: Peer certificate verification failure
+1DreamCypher wrote: ↑Fri May 13, 2022 9:27 pmFYI,
I found that I did not have to remove the verify line, but instead needed to remove or replace the single-quotation marks.
Thanks DreamCypher!
Created an account just to add another voice here confirming this is indeed the issue.
This same error occurs on Azure VPN gateway with OpenVPN when these marks are present in the .ovpn file.
-
- OpenVpn Newbie
- Posts: 8
- Joined: Sun Jan 10, 2016 1:16 am
Re: Error message: Peer certificate verification failure
I'm seeing the same error when I try to connect to my openvpn server. I'm currently seeing this exact error on a MacBookAir (OS 10.15.7), but am unable to connect to the server from my Android phone using the OpenVPN client for Android, nor on my Windows 10 laptop using the Windows OpenVpn client NOR my Kubuntu Linux laptop using its Openvpn. Until a few weeks ago, all of these systems were able to connect successfully to my openvpn server, which is running on an Asus RT-N66U router with FreshTomato Firmware 2022.2 MIPSR2 K26 USB AIO-64K. Version of Openvpn server used here is unknown.
All I see in the openvpn server log is the following:
Help!!
All I see in the openvpn server log is the following:
Code: Select all
Sep 24 12:29:33 svnetgw daemon.notice openvpn-server1[27811]: TCP connection established with [AF_INET6]::ffff:XX.XX.XX.XX:51902
Sep 24 12:29:33 svnetgw daemon.notice openvpn-server1[27811]: XX.XX.XX.XX:51902 TLS: Initial packet from [AF_INET6]::ffff:XX.XX.XX.XX:51902, sid=6ca4fb7c ba13392e
Sep 24 12:29:33 svnetgw daemon.err openvpn-server1[27811]: XX.XX.XX.XX:51902 Connection reset, restarting [0]
Sep 24 12:29:33 svnetgw daemon.notice openvpn-server1[27811]: XX.XX.XX.XX:51902 SIGUSR1[soft,connection-reset] received, client-instance restarting