[Solved]Client failed: unsupported certificate purpose
Posted: Tue Mar 31, 2015 2:25 pm
Hi,
My first try failed when open the client to connect my server.
Server and the client are both running 2.3.6. Keys are created using easyrsk tool acoording
to its documents.
Server starts up normall (showing Initialization Sequence Completed)
Client failed in connecting:
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Re-using SSL/TLS context
LZO compression initialized
Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Socket Buffers: R=[87380->131072] S=[16384->131072]
Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Local Options hash (VER=V4): '69109d17'
Expected Remote Options hash (VER=V4): 'c0103fa8'
Attempting to establish TCP connection with [AF_INET]59.37.26.98:9005 [nonblock]
TCP connection established with [AF_INET]59.37.26.98:9005
TCPv4_CLIENT link local: [undef]
TCPv4_CLIENT link remote: [AF_INET]59.37.26.98:9005
TLS: Initial packet from [AF_INET]59.37.26.98:9005, sid=a9f7fc71 d6c98d10
VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=lg_server_dc1
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
TCP/UDP: Closing socket
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 5 second(s)
Server config:
cd /etc/openvpn
ort 9090
proto tcp
dev tun
ca certs/ca.crt
cert certs/lg_server_dc1.crt
key keys/lg_server_dc1.key # This file should be kept secret
dh dh.pem
server 10.11.27.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 5
Client config:
cd /etc/openvpn
client
dev tun
proto tcp
remote 1.2.3.4 9090
resolv-retry infinite
nobind
persist-key
persist-tun
ca certs/ca.crt
cert certs/lg_cp978.crt
key keys/lg_cp978.key
comp-lzo
verb 4
Could you please have look at my case and guess what' s the possible cause? Thanks in advance!
-woody
My first try failed when open the client to connect my server.
Server and the client are both running 2.3.6. Keys are created using easyrsk tool acoording
to its documents.
Server starts up normall (showing Initialization Sequence Completed)
Client failed in connecting:
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Re-using SSL/TLS context
LZO compression initialized
Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Socket Buffers: R=[87380->131072] S=[16384->131072]
Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Expected Remote Options String: 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Local Options hash (VER=V4): '69109d17'
Expected Remote Options hash (VER=V4): 'c0103fa8'
Attempting to establish TCP connection with [AF_INET]59.37.26.98:9005 [nonblock]
TCP connection established with [AF_INET]59.37.26.98:9005
TCPv4_CLIENT link local: [undef]
TCPv4_CLIENT link remote: [AF_INET]59.37.26.98:9005
TLS: Initial packet from [AF_INET]59.37.26.98:9005, sid=a9f7fc71 d6c98d10
VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=lg_server_dc1
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
TCP/UDP: Closing socket
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 5 second(s)
Server config:
cd /etc/openvpn
ort 9090
proto tcp
dev tun
ca certs/ca.crt
cert certs/lg_server_dc1.crt
key keys/lg_server_dc1.key # This file should be kept secret
dh dh.pem
server 10.11.27.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 5
Client config:
cd /etc/openvpn
client
dev tun
proto tcp
remote 1.2.3.4 9090
resolv-retry infinite
nobind
persist-key
persist-tun
ca certs/ca.crt
cert certs/lg_cp978.crt
key keys/lg_cp978.key
comp-lzo
verb 4
Could you please have look at my case and guess what' s the possible cause? Thanks in advance!
-woody
Thank you! I understand where is the problem, And, after I regenerate the server key, I got it run w/o problem.