OpenVPN Support Forum

Dear group
I have configured OVPN server on my Mikrotik router, I imported the license also and I see KR sign beside it.
In firewall also I have allowed requests from OVPN clients.
----------------
Importing licenses :
/certificate
import file=certificate-response.pem
import file=private-key.key
----------------
Firewall rule :
/ip firewall filter
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp
--------------
the problem is :
when my client tries to connect, after inserting username/pass, receives the below error :
------------------
VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=GeoTrust, Inc., CN=RapidSSL CA

TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
----------------
client configuration file :
client
dev tap
proto tcp
remote 67.55.66.181 1194
resolv-retry infinite
nobind
persist-key
persist-tun
route-metric 1
auth-user-pass


<ca>
-----BEGIN CERTIFICATE-----
Ca information is placed here
-----END CERTIFICATE-----

</ca>

<cert>
-----BEGIN CERTIFICATE-----
Cert content is placed here
-----END CERTIFICATE-----


</cert>

<key>
-----BEGIN ENCRYPTED PRIVATE KEY-----
Private key is placed directly into file
-----END ENCRYPTED PRIVATE KEY-----
comp-lzo
-------

Any help or guideline is appreciated.
Thank You

I'm not sure how you configured things, but the warning

VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=GeoTrust, Inc., CN=RapidSSL CA

TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

suggests that you've installed the wrong CA certificate (or certificate stack). Where are you getting the certificates from?

Yes, I changed the cert and installed new one, I have provided from RapidSSL and I did double check with them about validity of certs.
noe I have this Log message :

Wed May 01 00:22:55 2013 Socket Buffers: R=[8192->8192] S=[8192->8192]
Wed May 01 00:22:55 2013 Attempting to establish TCP connection with [AF_INET]67.55.66.181:1194
Wed May 01 00:22:55 2013 MANAGEMENT: >STATE:1367338975,TCP_CONNECT,,,
Wed May 01 00:22:55 2013 TCP connection established with [AF_INET]67.55.66.181:1194
Wed May 01 00:22:55 2013 TCPv4_CLIENT link local: [undef]
Wed May 01 00:22:55 2013 TCPv4_CLIENT link remote: [AF_INET]67.55.66.181:1194
Wed May 01 00:22:55 2013 MANAGEMENT: >STATE:1367338975,WAIT,,,
Wed May 01 00:22:56 2013 MANAGEMENT: >STATE:1367338976,AUTH,,,
Wed May 01 00:22:56 2013 TLS: Initial packet from [AF_INET]67.55.66.181:1194, sid=3b75cd0e ef1dbf58
Wed May 01 00:22:57 2013 VERIFY ERROR: depth=1, error=unable to get local issuer certificate: C=US, O=GeoTrust,

as a follow up : you will need to install the right certificate chain as the client-side ca.crt file for this to work. Ask your VPN provider to provide you with the right ca.crt chain.