VERIFY FAIL -- The certificate is signed with an unacceptable hash. : depth=0

Post Reply
serginho
OpenVpn Newbie
Posts: 2
Joined: Fri Nov 15, 2019 8:36 pm

VERIFY FAIL -- The certificate is signed with an unacceptable hash. : depth=0

Post by serginho » Fri Nov 15, 2019 9:28 pm

Hello,

I have serached the forum and also read the how-to's. So much that my Android client used to work fine until the ADSL line was upgraded at the server side.

To keep it short, I removed OpenVPN from the Server and reinstalled. Created a brand new PKI. Then created 2 client certificates, one for my Windows PC and one for my Android phone. Copied the CA and client keys to the appropriate locations in both devices. Windows connects, Android doesn't. Below the log (note the '??' at the 'issuer name' and 'subject name' lines: those are not replacements: they are exactly like this in the log file; not sure if relevant, though):

Code: Select all

18:21:07.216 -- ----- OpenVPN Start -----
18:21:07.217 -- EVENT: CORE_THREAD_ACTIVE
18:21:07.221 -- OpenVPN core 3.git::728733ae:Release android arm64 64-bit PT_PROXY built on Aug 14 2019 14:13:26
18:21:07.245 -- Frame=512/2048/512 mssfix-ctrl=1250
18:21:07.254 -- UNUSED OPTIONS
5 [nobind] 
6 [persist-key] 
7 [persist-tun] 
14 [verb] [4] 
15 [explicit-exit-notify] [3] 
18:21:07.262 -- EVENT: RESOLVE
18:21:07.642 -- Contacting xxx.xx.xxx.xx:xxxx via UDP
18:21:07.645 -- EVENT: WAIT
18:21:07.654 -- Connecting to [xxxxxxxx.xxx.xxx]:xxxx (xxx.xx.xxx.xx) via UDPv4
18:21:07.682 -- EVENT: CONNECTING
18:21:07.687 -- Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA1,keysize 256,key-method 2,tls-client
18:21:07.688 -- Creds: UsernameEmpty/PasswordEmpty
18:21:07.690 -- Peer Info:
IV_GUI_VER=OC30Android
IV_VER=3.git::728733ae:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_AUTO_SESS=1
18:21:08.143 -- VERIFY FAIL -- The certificate is signed with an unacceptable hash. : depth=0
cert. version     : 3
serial number     : 01
issuer name       : C=BR, ST=RS, L=CCCCCCC, O=MMMMMM, OU=MMMMMM, CN=SSSSSSS, ??=MMMMMM, emailAddress=sssss@ssss.com.br
subject name      : C=BR, ST=RS, L=CCCCCCC, O=MMMMMM, OU=MMMMMM, CN=SSSSSSS, ??=MMMMMM, emailAddress=sssss@ssss.com.br
issued  on        : 2019-11-15 19:14:04
expires on        : 2039-11-10 19:14:04
signed using      : RSA with MD5
RSA key size      : 4096 bits
basic constraints : CA=false
cert. type        : SSL Server
key usage         : Digital Signature, Key Encipherment
ext key usage     : TLS Web Server Authentication
18:21:08.263 -- Transport Error: mbed TLS: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
18:21:08.264 -- EVENT: CERT_VERIFY_FAIL info='mbed TLS: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA or signature check failed'
18:21:08.281 -- EVENT: CORE_THREAD_INACTIVE
18:21:08.282 -- Tunnel bytes per CPU second: 0
18:21:08.282 -- ----- OpenVPN Stop -----
This is the Server OVPN:

Code: Select all

port 1194
proto udp
dev tun
ca   "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\SSSSSSS.crt"
key  "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\SSSSSSS.key"
dh   "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh4096.pem"
topology subnet
server 172.16.116.0 255.255.252.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
keepalive 30 60
cipher AES-256-CBC
comp-lzo
max-clients 10
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
verb 4
This is the Client OVPN:

Code: Select all

client
dev tun
proto udp
remote xxxxxxxx.xxx.xxx xxxx
keepalive 30 60
nobind
persist-key
persist-tun
ca   "C:\\Program Files\\OpenVPN\\config\\SSSS\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\SSSS\\keys\\DDDDD.crt"
key  "C:\\Program Files\\OpenVPN\\config\\SSSS\\keys\\DDDDD.key"
cipher AES-256-CBC
comp-lzo
verb 3
explicit-exit-notify 3
Can some one, please, explain why it would connect with one device and not with the other?

Thanks

Serginho

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 6239
Joined: Fri Jun 03, 2016 1:17 pm

Re: VERIFY FAIL -- The certificate is signed with an unacceptable hash. : depth=0

Post by TinCanTech » Fri Nov 15, 2019 10:11 pm

serginho wrote:
Fri Nov 15, 2019 9:28 pm
why it would connect with one device and not with the other?
Because of the version of OpenSSL not OpenVPN ..
serginho wrote:
Fri Nov 15, 2019 9:28 pm
Created a brand new PKI. Then created 2 client certificates
How .. Using what ?

serginho
OpenVpn Newbie
Posts: 2
Joined: Fri Nov 15, 2019 8:36 pm

Re: VERIFY FAIL -- The certificate is signed with an unacceptable hash. : depth=0

Post by serginho » Wed Nov 20, 2019 5:14 pm

Hi,

PKI and certificates created using bundled EasyRSA, the one that comes with OpenVPN installer.

Thanks

Post Reply