IOS 12.1.1 Connection Error X509

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
mpatzwah
OpenVpn Newbie
Posts: 3
Joined: Wed Jan 23, 2019 5:18 pm

IOS 12.1.1 Connection Error X509

Post by mpatzwah » Wed Jan 23, 2019 5:43 pm

Hi,

i´m VPN noop, so please be patient with me. After Googling 1 Hour without any solution i´m here to ask for help please ....

I use OpenVPN from my Win PC to my company. works great.. Then i copied the config Files to IOS 12.1.1 (IPAD 11)

I have three VPN Profiles (two to a linus machine) one to a win Server.
the Linux Connection works fine, but the Win Connection makes trouble.
From my Win PC it´s ok, but for IOS not, so i copied the certificates inline in the config File

My .ovpn File :

dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-256-CBC:AES-256-GCM
auth SHA512
tls-client
client
resolv-retry infinite
remote xx.xx.xx.xx 1194 udp
verify-x509-name "pfsense-cert" name
auth-user-pass
pkcs12 pfSense-UDP4-1194-IPAD.ovpn12
tls-auth pfSense-UDP4-1194-tls.key 1
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIJALZArQiODpsHMA0GCSqGSIb3DQEBDQUAMBQxEjAQBgNV
...
xlDwBa08vlwB+V/gswYSrXQth/d0wdt5ol/TdBbf2x4PHs5cibIZekoAcCNvUPO/
0xRu
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MIIDRDCCAiygAwIBAgIQamJKMCyFw5n0Qs4TIJN36jANBgkqhkiG9w0BAQ0FADAU
...
ToeLccfZ5Ob7q9UekXi/xZYwGV5KY+BUrGguzyXcug2LTmsnz4rLqfOtabicDWTK
N5QetB7u5Lepes4ZQf8D0FzAgL/wmXWk
-----END CERTIFICATE-----
</cert>

The Error is: mbed TLS: SSL read error : X509 Certificate verification failed...

What can I do ?
Thanks!
Marco

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: IOS 12.1.1 Connection Error X509

Post by TinCanTech » Wed Jan 23, 2019 5:48 pm

The first thing you can do is contact the Network Administrator at your company for assistance.

mpatzwah
OpenVpn Newbie
Posts: 3
Joined: Wed Jan 23, 2019 5:18 pm

Re: IOS 12.1.1 Connection Error X509

Post by mpatzwah » Wed Jan 23, 2019 5:56 pm

he is gone :-( and now i´m the new one :-)

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: IOS 12.1.1 Connection Error X509

Post by TinCanTech » Wed Jan 23, 2019 7:34 pm

viewtopic.php?f=30&t=22603

Please read the OpenVPN HOWTO.

mpatzwah
OpenVpn Newbie
Posts: 3
Joined: Wed Jan 23, 2019 5:18 pm

Re: IOS 12.1.1 Connection Error X509

Post by mpatzwah » Thu Jan 24, 2019 11:17 am

>>After Googling 1 Hour without any solution i´m here to ask for help please ....
Upd: And also Reading the Docs.

Is this the sense of a Forum? RTFM ? This mostly right for all questions, or?

So please anybody else any Idea except TinCanTech?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: IOS 12.1.1 Connection Error X509

Post by TinCanTech » Thu Jan 24, 2019 2:34 pm

mpatzwah wrote:
Thu Jan 24, 2019 11:17 am
>>After Googling 1 Hour without any solution i´m here to ask for help please ....
Upd: And also Reading the Docs.
You did not read this carefully:
viewtopic.php?f=30&t=22603

Without the details requested any help we offer would be a guess at best.
mpatzwah wrote:
Thu Jan 24, 2019 11:17 am
Is this the sense of a Forum? RTFM ?
That is why we wrote them. Start with the HOWTO.
mpatzwah wrote:
Wed Jan 23, 2019 5:43 pm
The Error is: mbed TLS: SSL read error : X509 Certificate verification failed...
All i can say is that mbedTLS finds a certificate verification has failed ..

roger.hermes
OpenVpn Newbie
Posts: 6
Joined: Fri Jul 28, 2017 8:51 pm

Re: IOS 12.1.1 Connection Error X509

Post by roger.hermes » Mon Feb 11, 2019 1:52 pm

I had the same problem, and i was able to solve it. the IOS can`t understand the key of client`s certificate. You`ll need to decript with OpenSSL tool.

download and install both
http://downloads.sourceforge.net/gnuwin ... -setup.exe
http://downloads.sourceforge.net/gnuwin ... -setup.exe

Get your .key file and put it in c:\cert\

open CMD and run the command

openssl rsa -in C:/cert/file.key -out C:/cert/file-DEC.key

open DEC file with notepad and copy all of the content

paste into .ovpn file between <key> </key> tags.

hope this help you.

bobdog
OpenVpn Newbie
Posts: 3
Joined: Mon Jul 15, 2019 1:51 am

Re: IOS 12.1.1 Connection Error X509

Post by bobdog » Mon Jul 15, 2019 6:38 am

roger.hermes wrote:
Mon Feb 11, 2019 1:52 pm
I had the same problem, and i was able to solve it. the IOS can`t understand the key of client`s certificate. You`ll need to decript with OpenSSL tool.

download and install both
http://downloads.sourceforge.net/gnuwin ... -setup.exe
http://downloads.sourceforge.net/gnuwin ... -setup.exe

Get your .key file and put it in c:\cert\

open CMD and run the command

openssl rsa -in C:/cert/file.key -out C:/cert/file-DEC.key

open DEC file with notepad and copy all of the content

paste into .ovpn file between <key> </key> tags.

hope this help you.
I tried but it didn'r work as well.

roger.hermes
OpenVpn Newbie
Posts: 6
Joined: Fri Jul 28, 2017 8:51 pm

Re: IOS 12.1.1 Connection Error X509

Post by roger.hermes » Mon Jul 22, 2019 6:22 pm

did you had the same issue? i guess you have some problem with .ovpn file.

this is my ovpn file working with IOS 12.3.1 in iPhone 6S

client
dev tun
proto tcp-client
remote ddns1.myhost.com.br
port 4750
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
auth-user-pass
key-direction 1
verb 4
mute 10
cipher AES-256-CBC
auth SHA1
auth-nocache
reneg-sec 0
resolv-retry infinite
connect-timeout 86400

#certificado CA.crt
<ca>
-----BEGIN CERTIFICATE-----
MIID1zCCAr+gAwIBAgIIfs1vJao/GVUwDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE
....
-----END CERTIFICATE-----

</ca>
#Certificado de cliente assinado pelo CA - Client1.crt
<cert>
-----BEGIN CERTIFICATE-----
MIIDwjCCAqqgAwIBAgIIe6QXgKaYwQ4wDQYJKoZIhvcNAQELBQAwXzELMAkGA1UE
...
-----END CERTIFICATE-----

</cert>

#Chave de certificado Client1.crt assinada pelo CA.crt decriptado por OPENSSL RSA - CLIENT1-DEC.key
<key>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAy8bg+NJWJ1kI4Rgl0kd/VdOKU4AVtla/09T5d1daepp/HF2u
...
-----END RSA PRIVATE KEY-----
</key>

for any questions 14905rlh(@)gmail.com

Post Reply