OpenVPN server: Opnsense
OpenVPN client: Windows OpenVPN Connect 3.3.6
Yubikey: Yubikey 5
Error message: External Certificate signing failed
the log entries for the failed connection attempt:
Code: Select all
⏎[Oct 30, 2022, 13:38:59] EVENT: CONNECTING ⏎[Oct 30, 2022, 13:38:59] Tunnel Options:V4,dev-type tun,link-mtu 1522,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client
⏎[Oct 30, 2022, 13:38:59] Creds: Username/Password
⏎[Oct 30, 2022, 13:38:59] Peer Info:
IV_VER=3.git::d3f8b18b
IV_PLAT=win
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=OCWindows_3.3.6-2752
IV_SSO=webauth,openurl,crtext
⏎[Oct 30, 2022, 13:38:59] EVENT: EPKI_ERROR External Certificate Signing Failed⏎[Oct 30, 2022, 13:38:59] Client exception in transport_recv_excode: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
⏎[Oct 30, 2022, 13:38:59] EVENT: DISCONNECTED ⏎
-Following the guide on openvpn's website for "support of PKCS#11 physical tokens for OpenVPN Connect". That means importing the ovpn file excluding the key and cert, and putting these last two on the yubikey in slot 9a. For this importing I succesfully used both yubico-piv-tool and the yubikey manager.
-Verify the cert with the yubico-piv-tool, succesful
-Googling
It can succesfully use the yubikey, as I need to insert it and provide the correct pin, but it sees the information in the slot as "wrong" somehow, even though the connection works fine when it's all integrated in the ovpn file.
Any help on this would be appreciated. I'd like this to work since it adds to security while being really user-friendly for a company that's already accustomed to using Yubikeys for everything.