EPKI_ERROR External Certificate Signing Failed

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
ak75
OpenVpn Newbie
Posts: 1
Joined: Thu Jul 29, 2021 8:13 am

EPKI_ERROR External Certificate Signing Failed

Post by ak75 » Thu Jul 29, 2021 8:33 am

hi all!

i got a working openvpn server.
linux clients are working fine.
but windows clients don't.

Code: Select all

OpenVPN 2.5.2 i586-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021
library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
server config
server

port 1194
proto udp
dev tun
ca /etc/openvpn/openvpn_certs/vpnservercert-ca.pem
cert /etc/openvpn/openvpn_certs/vpnservercert-cert.pem
key /etc/openvpn/openvpn_certs/vpnservercert-key.pem
dh /etc/openvpn/openvpn_certs/dh1024.pem
cipher AES-256-CBC
data-ciphers-fallback AES-256-CBC
topology subnet
server xxxxxxxx 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route xxxxxxx 255.255.255.0"
push "dhcp-option DNS xxxxxxxxx"
push "dhcp-option DOMAIN xxxxxxx"
client-to-client
keepalive 10 120
allow-compression no
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append /var/log/openvpn.log
verb 3


server logfile

Code: Select all

2021-07-29 11:08:43 us=470939 Current Parameter Settings:
2021-07-29 11:08:43 us=474397   config = '/etc/openvpn/openvpn.conf'
2021-07-29 11:08:43 us=474905   mode = 1
2021-07-29 11:08:43 us=475730   persist_config = DISABLED
2021-07-29 11:08:43 us=476060   persist_mode = 1
2021-07-29 11:08:43 us=476649   show_ciphers = DISABLED
2021-07-29 11:08:43 us=476977   show_digests = DISABLED
2021-07-29 11:08:43 us=479908   show_engines = DISABLED
2021-07-29 11:08:43 us=480707   genkey = DISABLED
2021-07-29 11:08:43 us=481203   genkey_filename = '[UNDEF]'
2021-07-29 11:08:43 us=482225   key_pass_file = '[UNDEF]'
2021-07-29 11:08:43 us=483644   show_tls_ciphers = DISABLED
2021-07-29 11:08:43 us=484605   connect_retry_max = 0
2021-07-29 11:08:43 us=487524 Connection profiles [0]:
2021-07-29 11:08:43 us=494233   proto = udp
2021-07-29 11:08:43 us=497475   local = '[UNDEF]'
2021-07-29 11:08:43 us=497705   local_port = '1194'
2021-07-29 11:08:43 us=498016   remote = '[UNDEF]'
2021-07-29 11:08:43 us=498188   remote_port = '1194'
2021-07-29 11:08:43 us=498335   remote_float = DISABLED
2021-07-29 11:08:43 us=498473   bind_defined = DISABLED
2021-07-29 11:08:43 us=498608   bind_local = ENABLED
2021-07-29 11:08:43 us=498919   bind_ipv6_only = DISABLED
2021-07-29 11:08:43 us=499087   connect_retry_seconds = 5
2021-07-29 11:08:43 us=499227   connect_timeout = 120
2021-07-29 11:08:43 us=499370   socks_proxy_server = '[UNDEF]'
2021-07-29 11:08:43 us=499506   socks_proxy_port = '[UNDEF]'
2021-07-29 11:08:43 us=499980   tun_mtu = 1500
2021-07-29 11:08:43 us=500287   tun_mtu_defined = ENABLED
2021-07-29 11:08:43 us=500443   link_mtu = 1500
2021-07-29 11:08:43 us=500580   link_mtu_defined = DISABLED
2021-07-29 11:08:43 us=500714   tun_mtu_extra = 0
2021-07-29 11:08:43 us=500848   tun_mtu_extra_defined = DISABLED
2021-07-29 11:08:43 us=500991   mtu_discover_type = -1
2021-07-29 11:08:43 us=501126   fragment = 0
2021-07-29 11:08:43 us=501259   mssfix = 1450
2021-07-29 11:08:43 us=501396   explicit_exit_notification = 0
2021-07-29 11:08:43 us=501528   tls_auth_file = '[UNDEF]'
2021-07-29 11:08:43 us=501664   key_direction = not set
2021-07-29 11:08:43 us=501796   tls_crypt_file = '[UNDEF]'
2021-07-29 11:08:43 us=501926   tls_crypt_v2_file = '[UNDEF]'
2021-07-29 11:08:43 us=502061 Connection profiles END
2021-07-29 11:08:43 us=502192   remote_random = DISABLED
2021-07-29 11:08:43 us=502326   ipchange = '[UNDEF]'
2021-07-29 11:08:43 us=502455   dev = 'tun'
2021-07-29 11:08:43 us=502583   dev_type = '[UNDEF]'
2021-07-29 11:08:43 us=502727   dev_node = '[UNDEF]'
2021-07-29 11:08:43 us=502962   lladdr = '[UNDEF]'
2021-07-29 11:08:43 us=503124   topology = 3
2021-07-29 11:08:43 us=503263   ifconfig_local = 'xxxxxxxx'
2021-07-29 11:08:43 us=503401   ifconfig_remote_netmask = '255.255.255.0'
2021-07-29 11:08:43 us=503536   ifconfig_noexec = DISABLED
2021-07-29 11:08:43 us=503668   ifconfig_nowarn = DISABLED
2021-07-29 11:08:43 us=503799   ifconfig_ipv6_local = '[UNDEF]'
2021-07-29 11:08:43 us=503930   ifconfig_ipv6_netbits = 0
2021-07-29 11:08:43 us=504061   ifconfig_ipv6_remote = '[UNDEF]'
2021-07-29 11:08:43 us=504192   shaper = 0
2021-07-29 11:08:43 us=504322   mtu_test = 0
2021-07-29 11:08:43 us=504451   mlock = DISABLED
2021-07-29 11:08:43 us=504582   keepalive_ping = 10
2021-07-29 11:08:43 us=504712   keepalive_timeout = 120
2021-07-29 11:08:43 us=504845   inactivity_timeout = 0
2021-07-29 11:08:43 us=504977   ping_send_timeout = 10
2021-07-29 11:08:43 us=505116   ping_rec_timeout = 240
2021-07-29 11:08:43 us=505248   ping_rec_timeout_action = 2
2021-07-29 11:08:43 us=505400   ping_timer_remote = DISABLED
2021-07-29 11:08:43 us=505538   remap_sigusr1 = 0
2021-07-29 11:08:43 us=505670   persist_tun = ENABLED
2021-07-29 11:08:43 us=505800   persist_local_ip = DISABLED
2021-07-29 11:08:43 us=505931   persist_remote_ip = DISABLED
2021-07-29 11:08:43 us=506062   persist_key = ENABLED
2021-07-29 11:08:43 us=506275   passtos = DISABLED
2021-07-29 11:08:43 us=506430   resolve_retry_seconds = 1000000000
2021-07-29 11:08:43 us=506565   resolve_in_advance = DISABLED
2021-07-29 11:08:43 us=506838   username = 'nobody'
2021-07-29 11:08:43 us=506995   groupname = 'nobody'
2021-07-29 11:08:43 us=507135   chroot_dir = '[UNDEF]'
2021-07-29 11:08:43 us=507270   cd_dir = '[UNDEF]'
2021-07-29 11:08:43 us=507403   writepid = '/run/openvpn.pid'
2021-07-29 11:08:43 us=507539   up_script = '[UNDEF]'
2021-07-29 11:08:43 us=507672   down_script = '[UNDEF]'
2021-07-29 11:08:43 us=507804   down_pre = DISABLED
2021-07-29 11:08:43 us=507934   up_restart = DISABLED
2021-07-29 11:08:43 us=508065   up_delay = DISABLED
2021-07-29 11:08:43 us=508192   daemon = ENABLED
2021-07-29 11:08:43 us=508322   inetd = 0
2021-07-29 11:08:43 us=508452   log = ENABLED
2021-07-29 11:08:43 us=508583   suppress_timestamps = DISABLED
2021-07-29 11:08:43 us=508714   machine_readable_output = DISABLED
2021-07-29 11:08:43 us=508843   nice = 0
2021-07-29 11:08:43 us=508974   verbosity = 4
2021-07-29 11:08:43 us=509103   mute = 0
2021-07-29 11:08:43 us=509295   gremlin = 0
2021-07-29 11:08:43 us=509449   status_file = '/var/log/openvpn-status.log'
2021-07-29 11:08:43 us=509700   status_file_version = 1
2021-07-29 11:08:43 us=509856   status_file_update_freq = 60
2021-07-29 11:08:43 us=509995   occ = ENABLED
2021-07-29 11:08:43 us=510133   rcvbuf = 0
2021-07-29 11:08:43 us=510272   sndbuf = 0
2021-07-29 11:08:43 us=510348   mark = 0
2021-07-29 11:08:43 us=510431   sockflags = 0
2021-07-29 11:08:43 us=510512   fast_io = DISABLED
2021-07-29 11:08:43 us=510582   comp.alg = 0
2021-07-29 11:08:43 us=510653   comp.flags = 24
2021-07-29 11:08:43 us=510723   route_script = '[UNDEF]'
2021-07-29 11:08:43 us=510794   route_default_gateway = 'xxxxxxxxx'
2021-07-29 11:08:43 us=510864   route_default_metric = 0
2021-07-29 11:08:43 us=510934   route_noexec = DISABLED
2021-07-29 11:08:43 us=511004   route_delay = 0
2021-07-29 11:08:43 us=511073   route_delay_window = 30
2021-07-29 11:08:43 us=511143   route_delay_defined = DISABLED
2021-07-29 11:08:43 us=511423   route_nopull = DISABLED
2021-07-29 11:08:43 us=511651   route_gateway_via_dhcp = DISABLED
2021-07-29 11:08:43 us=511743   allow_pull_fqdn = DISABLED
2021-07-29 11:08:43 us=512383   management_addr = '[UNDEF]'
2021-07-29 11:08:43 us=512483   management_port = '[UNDEF]'
2021-07-29 11:08:43 us=512550   management_user_pass = '[UNDEF]'
2021-07-29 11:08:43 us=512615   management_log_history_cache = 250
2021-07-29 11:08:43 us=512678   management_echo_buffer_size = 100
2021-07-29 11:08:43 us=512741   management_write_peer_info_file = '[UNDEF]'
2021-07-29 11:08:43 us=512805   management_client_user = '[UNDEF]'
2021-07-29 11:08:43 us=512994   management_client_group = '[UNDEF]'
2021-07-29 11:08:43 us=513078   management_flags = 0
2021-07-29 11:08:43 us=513146   shared_secret_file = '[UNDEF]'
2021-07-29 11:08:43 us=513214   key_direction = not set
2021-07-29 11:08:43 us=513277   ciphername = 'AES-256-CBC'
2021-07-29 11:08:43 us=513340   ncp_enabled = ENABLED
2021-07-29 11:08:43 us=513402   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
2021-07-29 11:08:43 us=513464   authname = 'SHA1'
2021-07-29 11:08:43 us=513526   prng_hash = 'SHA1'
2021-07-29 11:08:43 us=513588   prng_nonce_secret_len = 16
2021-07-29 11:08:43 us=513650   keysize = 0
2021-07-29 11:08:43 us=513711   engine = DISABLED
2021-07-29 11:08:43 us=513773   replay = ENABLED
2021-07-29 11:08:43 us=513835   mute_replay_warnings = DISABLED
2021-07-29 11:08:43 us=513896   replay_window = 64
2021-07-29 11:08:43 us=513956   replay_time = 15
2021-07-29 11:08:43 us=514019   packet_id_file = '[UNDEF]'
2021-07-29 11:08:43 us=514082   test_crypto = DISABLED
2021-07-29 11:08:43 us=514143   tls_server = ENABLED
2021-07-29 11:08:43 us=514206   tls_client = DISABLED
2021-07-29 11:08:43 us=514270   ca_file = '/etc/openvpn/openvpn_certs/vpnservercert-ca.pem'
2021-07-29 11:08:43 us=514335   ca_path = '[UNDEF]'
2021-07-29 11:08:43 us=514398   dh_file = '/etc/openvpn/openvpn_certs/dh1024.pem'
2021-07-29 11:08:43 us=514462   cert_file = '/etc/openvpn/openvpn_certs/vpnservercert-cert.pem'
2021-07-29 11:08:43 us=514526   extra_certs_file = '[UNDEF]'
2021-07-29 11:08:43 us=514594   priv_key_file = '/etc/openvpn/openvpn_certs/vpnservercert-key.pem'
2021-07-29 11:08:43 us=514767   pkcs12_file = '[UNDEF]'
2021-07-29 11:08:43 us=514844   cipher_list = '[UNDEF]'
2021-07-29 11:08:43 us=514911   cipher_list_tls13 = '[UNDEF]'
2021-07-29 11:08:43 us=515140   tls_cert_profile = '[UNDEF]'
2021-07-29 11:08:43 us=515224   tls_verify = '[UNDEF]'
2021-07-29 11:08:43 us=515291   tls_export_cert = '[UNDEF]'
2021-07-29 11:08:43 us=515359   verify_x509_type = 0
2021-07-29 11:08:43 us=515425   verify_x509_name = '[UNDEF]'
2021-07-29 11:08:43 us=515491   crl_file = '[UNDEF]'
2021-07-29 11:08:43 us=515557   ns_cert_type = 0
2021-07-29 11:08:43 us=515623   remote_cert_ku[i] = 0
2021-07-29 11:08:43 us=515688   remote_cert_ku[i] = 0
2021-07-29 11:08:43 us=515751   remote_cert_ku[i] = 0
2021-07-29 11:08:43 us=515814   remote_cert_ku[i] = 0
2021-07-29 11:08:43 us=515877   remote_cert_ku[i] = 0
2021-07-29 11:08:43 us=515948   remote_cert_ku[i] = 0
2021-07-29 11:08:43 us=516012   remote_cert_ku[i] = 0
2021-07-29 11:08:43 us=516074   remote_cert_ku[i] = 0
2021-07-29 11:08:43 us=516136   remote_cert_ku[i] = 0
2021-07-29 11:08:43 us=516301   remote_cert_ku[i] = 0
2021-07-29 11:08:43 us=516380   remote_cert_ku[i] = 0
2021-07-29 11:08:43 us=516446   remote_cert_ku[i] = 0
2021-07-29 11:08:43 us=516509   remote_cert_ku[i] = 0
2021-07-29 11:08:43 us=516572   remote_cert_ku[i] = 0
2021-07-29 11:08:43 us=516928   remote_cert_ku[i] = 0
2021-07-29 11:08:43 us=517158   remote_cert_ku[i] = 0
2021-07-29 11:08:43 us=517239   remote_cert_eku = '[UNDEF]'
2021-07-29 11:08:43 us=517307   ssl_flags = 0
2021-07-29 11:08:43 us=517374   tls_timeout = 2
2021-07-29 11:08:43 us=517448   renegotiate_bytes = -1
2021-07-29 11:08:43 us=517514   renegotiate_packets = 0
2021-07-29 11:08:43 us=517578   renegotiate_seconds = 3600
2021-07-29 11:08:43 us=517642   handshake_window = 60
2021-07-29 11:08:43 us=517706   transition_window = 3600
2021-07-29 11:08:43 us=517769   single_session = DISABLED
2021-07-29 11:08:43 us=517834   push_peer_info = DISABLED
2021-07-29 11:08:43 us=517896   tls_exit = DISABLED
2021-07-29 11:08:43 us=517959   tls_crypt_v2_metadata = '[UNDEF]'
2021-07-29 11:08:43 us=518063   server_network = xxxxxxxxx
2021-07-29 11:08:43 us=518151   server_netmask = 255.255.255.0
2021-07-29 11:08:43 us=518269   server_network_ipv6 = ::
2021-07-29 11:08:43 us=518341   server_netbits_ipv6 = 0
2021-07-29 11:08:43 us=518425   server_bridge_ip = 0.0.0.0
2021-07-29 11:08:43 us=518510   server_bridge_netmask = 0.0.0.0
2021-07-29 11:08:43 us=518597   server_bridge_pool_start = 0.0.0.0
2021-07-29 11:08:43 us=518683   server_bridge_pool_end = 0.0.0.0
2021-07-29 11:08:43 us=518749   push_entry = 'route xxxxxxxx 255.255.255.0'
2021-07-29 11:08:43 us=518813   push_entry = 'dhcp-option DNS xxxxxxxxxx'
2021-07-29 11:08:43 us=518874   push_entry = 'dhcp-option DOMAIN xxxxxx'
2021-07-29 11:08:43 us=518936   push_entry = 'route-gateway xxxxxxx'
2021-07-29 11:08:43 us=518997   push_entry = 'topology subnet'
2021-07-29 11:08:43 us=519058   push_entry = 'ping 10'
2021-07-29 11:08:43 us=519122   push_entry = 'ping-restart 120'
2021-07-29 11:08:43 us=519184   ifconfig_pool_defined = ENABLED
2021-07-29 11:08:43 us=519267   ifconfig_pool_start = xxxxxx
2021-07-29 11:08:43 us=519622   ifconfig_pool_end = xxxxxx
2021-07-29 11:08:43 us=520042   ifconfig_pool_netmask = 255.255.255.0
2021-07-29 11:08:43 us=520135   ifconfig_pool_persist_filename = 'ipp.txt'
2021-07-29 11:08:43 us=520203   ifconfig_pool_persist_refresh_freq = 600
2021-07-29 11:08:43 us=520267   ifconfig_ipv6_pool_defined = DISABLED
2021-07-29 11:08:43 us=520586   ifconfig_ipv6_pool_base = ::
2021-07-29 11:08:43 us=520668   ifconfig_ipv6_pool_netbits = 0
2021-07-29 11:08:43 us=520733   n_bcast_buf = 256
2021-07-29 11:08:43 us=520797   tcp_queue_limit = 64
2021-07-29 11:08:43 us=520862   real_hash_size = 256
2021-07-29 11:08:43 us=520925   virtual_hash_size = 256
2021-07-29 11:08:43 us=520987   client_connect_script = '[UNDEF]'
2021-07-29 11:08:43 us=521055   learn_address_script = '[UNDEF]'
2021-07-29 11:08:43 us=521220   client_disconnect_script = '[UNDEF]'
2021-07-29 11:08:43 us=521294   client_config_dir = '[UNDEF]'
2021-07-29 11:08:43 us=521366   ccd_exclusive = DISABLED
2021-07-29 11:08:43 us=521431   tmp_dir = '/tmp'
2021-07-29 11:08:43 us=521495   push_ifconfig_defined = DISABLED
2021-07-29 11:08:43 us=521718   push_ifconfig_local = 0.0.0.0
2021-07-29 11:08:43 us=523253   push_ifconfig_remote_netmask = 0.0.0.0
2021-07-29 11:08:43 us=523362   push_ifconfig_ipv6_defined = DISABLED
2021-07-29 11:08:43 us=523483   push_ifconfig_ipv6_local = ::/0
2021-07-29 11:08:43 us=523583   push_ifconfig_ipv6_remote = ::
2021-07-29 11:08:43 us=523651   enable_c2c = ENABLED
2021-07-29 11:08:43 us=523716   duplicate_cn = DISABLED
2021-07-29 11:08:43 us=523778   cf_max = 0
2021-07-29 11:08:43 us=523839   cf_per = 0
2021-07-29 11:08:43 us=523899   max_clients = 1024
2021-07-29 11:08:43 us=523962   max_routes_per_client = 256
2021-07-29 11:08:43 us=524026   auth_user_pass_verify_script = '[UNDEF]'
2021-07-29 11:08:43 us=524088   auth_user_pass_verify_script_via_file = DISABLED
2021-07-29 11:08:43 us=524152   auth_token_generate = DISABLED
2021-07-29 11:08:43 us=524214   auth_token_lifetime = 0
2021-07-29 11:08:43 us=524277   auth_token_secret_file = '[UNDEF]'
2021-07-29 11:08:43 us=524339   port_share_host = '[UNDEF]'
2021-07-29 11:08:43 us=524402   port_share_port = '[UNDEF]'
2021-07-29 11:08:43 us=524464   vlan_tagging = DISABLED
2021-07-29 11:08:43 us=524527   vlan_accept = all
2021-07-29 11:08:43 us=524588   vlan_pvid = 1
2021-07-29 11:08:43 us=524651   client = DISABLED
2021-07-29 11:08:43 us=524711   pull = DISABLED
2021-07-29 11:08:43 us=524774   auth_user_pass_file = '[UNDEF]'
2021-07-29 11:08:43 us=524866 OpenVPN 2.5.2 i586-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May  4 2021
2021-07-29 11:08:43 us=525003 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
2021-07-29 11:08:43 us=689443 Diffie-Hellman initialized with 1024 bit key
2021-07-29 11:08:43 us=968718 TLS-Auth MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2021-07-29 11:08:43 us=993980 TUN/TAP device tun0 opened
2021-07-29 11:08:43 us=994202 do_ifconfig, ipv4=1, ipv6=0
2021-07-29 11:08:43 us=995040 /sbin/ip link set dev tun0 up mtu 1500
2021-07-29 11:08:44 us=54202 /sbin/ip link set dev tun0 up
2021-07-29 11:08:44 us=91575 /sbin/ip addr add dev tun0 xxxxxxxxx/24
2021-07-29 11:08:44 us=148311 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2021-07-29 11:08:44 us=148996 Could not determine IPv4/IPv6 protocol. Using AF_INET
2021-07-29 11:08:44 us=149344 Socket Buffers: R=[180224->180224] S=[180224->180224]
2021-07-29 11:08:44 us=155963 UDPv4 link local (bound): [AF_INET][undef]:1194
2021-07-29 11:08:44 us=156159 UDPv4 link remote: [AF_UNSPEC]
2021-07-29 11:08:44 us=160612 GID set to nobody
2021-07-29 11:08:44 us=161158 UID set to nobody
2021-07-29 11:08:44 us=161489 MULTI: multi_init called, r=256 v=256
2021-07-29 11:08:44 us=167316 IFCONFIG POOL IPv4: base=xxxxxxxx size=252
2021-07-29 11:08:44 us=174620 ifconfig_pool_read(), in='ak75,xxxxxxxx,'
2021-07-29 11:08:44 us=176504 succeeded -> ifconfig_pool_set(hand=2)
2021-07-29 11:08:44 us=176716 IFCONFIG POOL LIST
2021-07-29 11:08:44 us=176823 ak75,xxxxxxxxx,
2021-07-29 11:08:44 us=178185 Initialization Sequence Completed
2021-07-29 11:12:56 us=548725 MULTI: multi_create_instance called
2021-07-29 11:12:56 us=550538 xxxxxx:60012 Re-using SSL/TLS context
2021-07-29 11:12:56 us=558182 xxxxxx:60012 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
2021-07-29 11:12:56 us=558537 xxxxxx:60012 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
2021-07-29 11:12:56 us=561981 xxxxxx:60012 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 256,key-method 2,tls-server'
2021-07-29 11:12:56 us=562131 xxxxxx:60012 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,auth SHA1,keysize 256,key-method 2,tls-client'
2021-07-29 11:12:56 us=563580 xxxxxx:60012 TLS: Initial packet from [AF_INET]xxxxxx:60012, sid=cda42891 d644ead0
2021-07-29 11:13:56 us=764956 xxxxxx:60012 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2021-07-29 11:13:56 us=765234 xxxxxx:60012 TLS Error: TLS handshake failed
2021-07-29 11:13:56 us=770135xxxxxx:60012 SIGUSR1[soft,tls-error] received, client-instance restarting


client logfile

Code: Select all

[Jul 29, 2021, 11:12:57] OpenVPN core 3.git::98bf7f7f win x86_64 64-bit built on Jun 14 2021 09:02:16
⏎[Jul 29, 2021, 11:12:57] Frame=512/2048/512 mssfix-ctrl=1250
⏎[Jul 29, 2021, 11:12:57] UNUSED OPTIONS
7 [verb] [4]
⏎[Jul 29, 2021, 11:12:57] EVENT: RESOLVE ⏎[Jul 29, 2021, 11:12:57] Contacting xxxxxx:1194 via UDP
⏎[Jul 29, 2021, 11:12:57] EVENT: WAIT ⏎[Jul 29, 2021, 11:12:57] WinCommandAgent: transmitting bypass route to xxxxxx
{
	"host" : "xxxxxx",
	"ipv6" : false
}

⏎[Jul 29, 2021, 11:12:57] Connecting to [xxxxxx]:1194 (xxxxxx) via UDPv4
⏎[Jul 29, 2021, 11:12:57] EVENT: CONNECTING ⏎[Jul 29, 2021, 11:12:57] Tunnel Options:V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client
⏎[Jul 29, 2021, 11:12:57] Creds: UsernameEmpty/PasswordEmpty
⏎[Jul 29, 2021, 11:12:57] Peer Info:
IV_VER=3.git::98bf7f7f
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-256-CBC
IV_AUTO_SESS=1
IV_GUI_VER=OCWindows_3.3.1-2222
IV_SSO=openurl,crtext

⏎[Jul 29, 2021, 11:12:58] EVENT: EPKI_ERROR External Certificate Signing Failed⏎[Jul 29, 2021, 11:12:58] Client exception in transport_recv_excode: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:0406B07A:rsa routines:RSA_padding_add_none:data too small for key size / error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
⏎[Jul 29, 2021, 11:12:58] EVENT: DISCONNECTED ⏎
client config
client

client
remote xxxxxxxx
port 1194
proto udp
dev tun
cipher AES-256-CBC
keepalive 10 120
<ca>
-----BEGIN CERTIFICATE-----
xxxxxxx
-----END CERTIFICATE-----
</ca>


whats wrong with my configuration? :?:
any hints are welcome!

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: EPKI_ERROR External Certificate Signing Failed

Post by TinCanTech » Thu Jul 29, 2021 1:44 pm

How did you setup your server and how did you transfer the files to Windows ?

It sounds like the files got corrupted by copying them.

EvilNate
OpenVpn Newbie
Posts: 1
Joined: Mon Oct 11, 2021 6:51 pm

Re: EPKI_ERROR External Certificate Signing Failed

Post by EvilNate » Mon Oct 11, 2021 6:58 pm

Just wondering if you ever fixed this issue. I am having the same problem on Windows 10 with the OpenVPN connect client version 3.3.2.2475. I am running the OpenVPN server that is packaged with Opnsense and used the export client menu to export the cert, key, and ovpn file. I have also tried the same ovpn profile in another Windows based client (Viscosity) and I am able to connect to the VPN server successfully.

kollaesch
OpenVpn Newbie
Posts: 1
Joined: Thu Sep 13, 2018 7:40 pm

Re: EPKI_ERROR External Certificate Signing Failed

Post by kollaesch » Thu Nov 25, 2021 2:46 pm

Hello there,
I got the same issue but also present some of my findings.

My tests were done on Win10 with "OpenVPN Gui v11.25" and "OpenVPN Connect 3.3.2 (2475)".
The config with the p12-file (referenced in the config) is working with the GUI. (even without the CA in the config-file)
However the "OpenVPN Connect" can't handle the config (with inline CA).
It errors out with the "Certificate Signing Failed"-Notification. The log actually also says :

Code: Select all

Client exception in transport_recv_excode: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: 
error:0607907F:digital envelope routines:EVP_PKEY_get0_RSA:expecting an rsa key / 
error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
"expecting an rsa key" appears to be a real issue! I got the some problem on iOS. However the key and cert-data inline works.
For me this seems like a generic bug!

I wonder if this has to do with:
"Print ec bit details, refuse management-external-key if key is not RSA" from https://community.openvpn.net/openvpn/w ... enVPN2.4.4

OpenVPN-Gui runs on openvpn-2.5.4 (so it's newer than 2.4.4. -- Changelog)
OpenVPN-Connect runs on openvpn3

So this seems to go far deeper as I hoped. I have to open an issue at github apparently.

Any other thoughts on that are greatly appreciated.

kollaesch

tbarth
OpenVpn Newbie
Posts: 3
Joined: Mon Dec 05, 2022 1:43 pm

Re: EPKI_ERROR External Certificate Signing Failed

Post by tbarth » Tue Dec 06, 2022 8:49 am

Hello kollaesch,

I have the exact same problem! It s been over a year now and yet no solution. Why using OpenVPN-Connect? Well, Win 10 on my pc refuses to install OpenVPN-Gui whereas Win 11 on my laptop accepts OpenVPN Gui. A vpn connection with Gui is still possible, I just get a deprecated warning for the option cipher.

Dorian
OpenVpn Newbie
Posts: 6
Joined: Sat Jan 07, 2023 9:53 am

Re: EPKI_ERROR External Certificate Signing Failed

Post by Dorian » Fri Feb 24, 2023 5:36 pm

Still the same error as of today. Does anyone has a solution?

Post Reply