Some clients cannot connect after server certificate change

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
radokristof
OpenVpn Newbie
Posts: 10
Joined: Mon Aug 24, 2020 12:06 pm

Some clients cannot connect after server certificate change

Post by radokristof » Fri Oct 28, 2022 8:19 am

Hi all!

Today my openvpn server certificate expired. Only the certificate expired, the CA not!
I have generated a new certificate using EasyRSA, changed cert and key parameters in the

Code: Select all

server.conf
file and my clients started to come back up (these are Mikrotik routers).

However my Linux openvpn clients (using openvpn in client mode) and also Windows openvpn client's can't connect anymore.

The error is:

Code: Select all

Fri Oct 28 10:18:29 2022 VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=marinero-server
Fri Oct 28 10:18:29 2022 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Fri Oct 28 10:18:29 2022 TLS_ERROR: BIO read tls_read_plaintext error
Fri Oct 28 10:18:29 2022 TLS Error: TLS object -> incoming plaintext read error
Fri Oct 28 10:18:29 2022 TLS Error: TLS handshake failed
Fri Oct 28 10:18:29 2022 Fatal TLS error (check_tls_errors_co), restarting
The CN named marinero-server is the new server certificate generated by me.

Why they can't connect if only the server certificate changed which is from the same CA and also other clients can connect without a problem?

Thanks for your help!

radokristof
OpenVpn Newbie
Posts: 10
Joined: Mon Aug 24, 2020 12:06 pm

Re: Some clients cannot connect after server certificate change

Post by radokristof » Fri Oct 28, 2022 8:54 am

My bad, I generated the certificate as client certificate instead of server...

Post Reply