Dear group
I have configured OVPN server on my Mikrotik router, I imported the license also and I see KR sign beside it.
In firewall also I have allowed requests from OVPN clients.
----------------
Importing licenses :
/certificate
import file=certificate-response.pem
import file=private-key.key
----------------
Firewall rule :
/ip firewall filter
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp
--------------
the problem is :
when my client tries to connect, after inserting username/pass, receives the below error :
------------------
VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=GeoTrust, Inc., CN=RapidSSL CA
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
----------------
client configuration file :
client
dev tap
proto tcp
remote 67.55.66.181 1194
resolv-retry infinite
nobind
persist-key
persist-tun
route-metric 1
auth-user-pass
<ca>
-----BEGIN CERTIFICATE-----
Ca information is placed here
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
Cert content is placed here
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
Private key is placed directly into file
-----END ENCRYPTED PRIVATE KEY-----
comp-lzo
-------
Any help or guideline is appreciated.
Thank You
unsuccessful authentication from OVPN client
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sun Apr 28, 2013 7:02 am
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: unsuccessful authentication from OVPN client
I'm not sure how you configured things, but the warning
suggests that you've installed the wrong CA certificate (or certificate stack). Where are you getting the certificates from?VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=GeoTrust, Inc., CN=RapidSSL CA
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
-
- OpenVpn Newbie
- Posts: 4
- Joined: Sun Apr 28, 2013 7:02 am
Re: unsuccessful authentication from OVPN client
Yes, I changed the cert and installed new one, I have provided from RapidSSL and I did double check with them about validity of certs.
noe I have this Log message :
Wed May 01 00:22:55 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed May 01 00:22:55 2013 Attempting to establish TCP connection with [AF_INET]67.55.66.181:1194
Wed May 01 00:22:55 2013 MANAGEMENT: >STATE:1367338975,TCP_CONNECT,,,
Wed May 01 00:22:55 2013 TCP connection established with [AF_INET]67.55.66.181:1194
Wed May 01 00:22:55 2013 TCPv4_CLIENT link local: [undef]
Wed May 01 00:22:55 2013 TCPv4_CLIENT link remote: [AF_INET]67.55.66.181:1194
Wed May 01 00:22:55 2013 MANAGEMENT: >STATE:1367338975,WAIT,,,
Wed May 01 00:22:56 2013 MANAGEMENT: >STATE:1367338976,AUTH,,,
Wed May 01 00:22:56 2013 TLS: Initial packet from [AF_INET]67.55.66.181:1194, sid=3b75cd0e ef1dbf58
Wed May 01 00:22:57 2013 VERIFY ERROR: depth=1, error=unable to get local issuer certificate: C=US, O=GeoTrust,
noe I have this Log message :
Wed May 01 00:22:55 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed May 01 00:22:55 2013 Attempting to establish TCP connection with [AF_INET]67.55.66.181:1194
Wed May 01 00:22:55 2013 MANAGEMENT: >STATE:1367338975,TCP_CONNECT,,,
Wed May 01 00:22:55 2013 TCP connection established with [AF_INET]67.55.66.181:1194
Wed May 01 00:22:55 2013 TCPv4_CLIENT link local: [undef]
Wed May 01 00:22:55 2013 TCPv4_CLIENT link remote: [AF_INET]67.55.66.181:1194
Wed May 01 00:22:55 2013 MANAGEMENT: >STATE:1367338975,WAIT,,,
Wed May 01 00:22:56 2013 MANAGEMENT: >STATE:1367338976,AUTH,,,
Wed May 01 00:22:56 2013 TLS: Initial packet from [AF_INET]67.55.66.181:1194, sid=3b75cd0e ef1dbf58
Wed May 01 00:22:57 2013 VERIFY ERROR: depth=1, error=unable to get local issuer certificate: C=US, O=GeoTrust,
- janjust
- Forum Team
- Posts: 2703
- Joined: Fri Aug 20, 2010 2:57 pm
- Location: Amsterdam
- Contact:
Re: unsuccessful authentication from OVPN client
as a follow up : you will need to install the right certificate chain as the client-side ca.crt file for this to work. Ask your VPN provider to provide you with the right ca.crt chain.