Hi,
I created a certificate on my opnsense firewall for vpn connections. It contained a .ovpn, .p12 and a .key file. With these files I get a vpn connection on my linux distribution. I would like to use OpenConnect v3 on my Windows 10 too, but I get errors.
The first error message was that CA is not defined. I exported an extra ca file from my server. Then I added a line to my config file (ca my_ca_file.crt). Ok, this seems to be ok, after this modification I get the error mentioned in the subject: external certificate signing failed. Somebody could resolve this problem by putting the ca line in the middle of the config-body, but it doesnt work for me
This is my config file:
cipher AES-256-CBC
auth SHA512
client
resolv-retry infinite
remote my_server_ip 1194 udp
lport 0
verify-x509-name "C=DE, ST=NRW, L=my_city, O=Administration, emailAddress=my_email_address, CN=internal-server-crt" subject
remote-cert-tls server
comp-lzo no
ca my_ca_file.crt
pkcs12 OpenVPN_Server_Level5_tbarth_28.p12
tls-auth OpenVPN_Server_Level5_tbarth_28-tls.key 1
Is there still something wrong here?
External certificate signing failed
-
- OpenVpn Newbie
- Posts: 3
- Joined: Mon Dec 05, 2022 1:43 pm
-
- OpenVpn Newbie
- Posts: 3
- Joined: Mon Dec 05, 2022 1:43 pm
Re: External certificate signing failed
More detailed infos of the error event
data too small for key size? What the h...?
data too small for key size? What the h...?
Code: Select all
[Dec 5, 2022, 20:50:13] EVENT: EPKI_ERROR External Certificate Signing Failed
[Dec 5, 2022, 20:50:13] Client exception in transport_recv_excode: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:0406B07A:rsa routines:RSA_padding_add_none:data too small for key size / error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
[Dec 5, 2022, 20:50:13] EVENT: DISCONNECTED
- ordex
- OpenVPN Inc.
- Posts: 444
- Joined: Wed Dec 28, 2016 2:32 am
- Location: IRC #openvpn-devel @ libera.chat
Re: External certificate signing failed
Moved to the appropriate section, as I believe you meant "OpenVPN Connect v3" and not "OpenConnectv3"
-
- OpenVpn Newbie
- Posts: 1
- Joined: Sun Jul 30, 2023 12:06 pm
Re: External certificate signing failed
I have just come across this issue and can answer.
Rather than export as an "Archive" which uses pkcs12 encryption, export as a "File" which uses an high level of encryption and then imports just fine without having to do a separate a separate certificate add as well.
If a developer sees this V3.4 just dies with a pkcs12, prehaps some traping of such use may be helpful, has taken me may hours and use of multiple clients to work out what was wrong !!
Rather than export as an "Archive" which uses pkcs12 encryption, export as a "File" which uses an high level of encryption and then imports just fine without having to do a separate a separate certificate add as well.
If a developer sees this V3.4 just dies with a pkcs12, prehaps some traping of such use may be helpful, has taken me may hours and use of multiple clients to work out what was wrong !!