ERROR: Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
zzarautz
OpenVpn Newbie
Posts: 2
Joined: Fri Apr 02, 2021 5:59 pm

ERROR: Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Post by zzarautz » Fri Apr 02, 2021 6:17 pm

Hello, sorry if this is the wrong place, can you please help me to debug a configuration error on my OpenVPN setup?

I am running a server for home use with a self-signed CA and a bunch of client certificates. The server is running on Debian stable and I have not touched the configuration for many years now (but I have kept everything up to date). Most of my clients can connect without issues, but there is one particular certificate that is giving me headaches. It is the only mobile client, using OpenVPN for Android. The only difference in respect to a working setup is that in this case I have bundled together the various certificates by embedding them in a single .ovpn configuration file and then I imported the .ovpn file with the Android client app. When I try to connect I get "Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication", while on server side I see on the log:

Code: Select all

Fri Apr  2 19:03:21 2021 84.226.168.177:51382 OpenSSL: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate
Fri Apr  2 19:03:21 2021 84.226.168.177:51382 TLS_ERROR: BIO read tls_read_plaintext error
Fri Apr  2 19:03:21 2021 84.226.168.177:51382 TLS Error: TLS object -> incoming plaintext read error
Fri Apr  2 19:03:21 2021 84.226.168.177:51382 TLS Error: TLS handshake failed
Here is my client conifg.ovpn:

Code: Select all

# my client cert

# basic client configuration
client
remote 99.99.99.99 1194
dev tun
proto udp
nobind


# authentication and security
cipher AES-256-CBC
auth SHA512
remote-cert-tls server
key-direction 1

# other options
comp-lzo yes
auth-nocache
script-security 2
persist-key
persist-tun
replay-window 256			#experimental? default is 64


# logging
mute-replay-warnings
verb 3
mute 5


<ca>
-----BEGIN CERTIFICATE-----
SOMECERTIFICATEINBASE64==
-----END CERTIFICATE-----
</ca>

<cert>
-----BEGIN CERTIFICATE-----
SOMEotherCERTinBASE64
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,FFFFFFINGERPRINT

RANdomSTuff==
-----END EC PRIVATE KEY-----
</key>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
0xstuff_in_hex
-----END OpenVPN Static key V1-----
</tls-auth>
And this is my server configuration:

Code: Select all

# basic server configuration
local 99.99.99.99 
port 1194
proto udp
dev tun
server 10.0.0.0 255.255.255.0


# authentication and security
ca ./cacert.pem
cert ./servercert.pem
key ./private/serverkey.pem
dh ./dh.pem
tls-auth ./private/ta.key 0
crl-verify ./crl.pem
auth SHA512
cipher AES-256-CBC


# network configuration
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.1.2.2"
ifconfig-pool-persist ./ipp.txt
client-to-client
keepalive 10 120
replay-window 256			#experimental?


# other options
comp-lzo yes
max-clients 10
user nobody
group nogroup
persist-key
persist-tun


# logging
status ./vpn-status.log
log         ./vpn.log
verb 3
mute 5
Can you please help me to find the problem? Thanks!

User avatar
TinCanTech
Forum Team
Posts: 9379
Joined: Fri Jun 03, 2016 1:17 pm

Re: [oconf] ERROR: Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Post by TinCanTech » Fri Apr 02, 2021 7:32 pm

zzarautz wrote:
Fri Apr 02, 2021 6:17 pm
I have not touched the configuration for many years now (but I have kept everything up to date)
Except your server certificate.

You have probably got a server certificate with deprecated "Netscape extensions".

Your best course of action is to recreate your PKI from scratch using: I don't know how to configure an Android device to accept the old standard and it may not even be possible to do so..

zzarautz
OpenVpn Newbie
Posts: 2
Joined: Fri Apr 02, 2021 5:59 pm

Re: ERROR: Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Post by zzarautz » Sat Apr 03, 2021 9:38 am

Oh that's bad...

Recreate PKI from scratch? You mean everything, including CA? Or just server cert?

Thanks!

User avatar
TinCanTech
Forum Team
Posts: 9379
Joined: Fri Jun 03, 2016 1:17 pm

Re: ERROR: Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication

Post by TinCanTech » Sat Apr 03, 2021 1:23 pm

It has to be everything!

Read through vars.example for some quick instructions.

Post Reply