OpenVPN Support Forum

Hi to all,

I have installer OpenVPN Access Server successfully on Docker.
I try to optimise ovpn configuration file with the error message displayed.

During connection, i see this error message :

WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.

So i just replace ns-cert-type server BY remote-cert-tls server and i have the following error :

[olog]Mon Apr 19 20:50:01 2021 Certificate does not have key usage extension
Mon Apr 19 20:50:01 2021 VERIFY KU ERROR
Mon Apr 19 20:50:01 2021 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Mon Apr 19 20:50:01 2021 TLS_ERROR: BIO read tls_read_plaintext error
Mon Apr 19 20:50:01 2021 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 19 20:50:01 2021 TLS Error: TLS handshake failed[/olog]

Someone can tell me how to fix it please ?

The ovpn file below :

Hi There,

We advise you not to try and remove or replace `ns-cert-type verification` because that would mean you disable all verification which is worse than having some verification, that is why this is included by default even if it is tag as deprecated. This option, by the way, cannot be replaced with something better until our OpenVPN access server 2.9 with certificate revamping has been completed. The better server certificate verification methods can't be used on the certificates that access server generates and uses at this time. So `ns-cert-type` is the correct way of server verification now, disabling that means no server verification method which is worse than using an older method. Second, we advise you to just disregard the deprecated message you are getting. The product is functioning as it should be. We use the ns-cert-type server currently, and it does the same thing.

Also, just to let you know, we don’t officially support running Access Server inside a container: doesn’t matter it is OpenVZ, Docker or LXD.

Elrick91 wrote: ↑

Mon Apr 19, 2021 7:17 pm

Hi to all,

I have installer OpenVPN Access Server successfully on Docker.
I try to optimise ovpn configuration file with the error message displayed.

During connection, i see this error message :

WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.

So i just replace ns-cert-type server BY remote-cert-tls server and i have the following error :

[olog]Mon Apr 19 20:50:01 2021 Certificate does not have key usage extension
Mon Apr 19 20:50:01 2021 VERIFY KU ERROR
Mon Apr 19 20:50:01 2021 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Mon Apr 19 20:50:01 2021 TLS_ERROR: BIO read tls_read_plaintext error
Mon Apr 19 20:50:01 2021 TLS Error: TLS object -> incoming plaintext read error
Mon Apr 19 20:50:01 2021 TLS Error: TLS handshake failed[/olog]

Someone can tell me how to fix it please ?

The ovpn file below :

Code: Select all

cipher AES-256-CBC
setenv FORWARD_COMPATIBLE 1
client
proto udp
nobind
remote 1XX.XXX.XXX.XXX
port XXXXXXXX
dev tun
dev-type tun
ns-cert-type server
setenv opt tls-version-min 1.0 or-highest
reneg-sec 604800
sndbuf 0
rcvbuf 0
auth-user-pass
comp-lzo no
verb 3
setenv PUSH_PEER_INFO
<ca>
.............
</ca>
<cert>
.............
</cert>
<key>
............
</key>
key-direction 1
<tls-auth>
............
</tls-auth>
cipher AES-256-GCM
## -----BEGIN RSA SIGNATURE-----
## -----END CERTIFICATE-----

Regards,
Crowley