Page 1 of 1

External certificate signing failed

Posted: Mon Dec 05, 2022 2:33 pm
by tbarth

I created a certificate on my opnsense firewall for vpn connections. It contained a .ovpn, .p12 and a .key file. With these files I get a vpn connection on my linux distribution. I would like to use OpenConnect v3 on my Windows 10 too, but I get errors.

The first error message was that CA is not defined. I exported an extra ca file from my server. Then I added a line to my config file (ca my_ca_file.crt). Ok, this seems to be ok, after this modification I get the error mentioned in the subject: external certificate signing failed. Somebody could resolve this problem by putting the ca line in the middle of the config-body, but it doesnt work for me

This is my config file:

cipher AES-256-CBC
auth SHA512
resolv-retry infinite
remote my_server_ip 1194 udp
lport 0
verify-x509-name "C=DE, ST=NRW, L=my_city, O=Administration, emailAddress=my_email_address, CN=internal-server-crt" subject
remote-cert-tls server
comp-lzo no
ca my_ca_file.crt
pkcs12 OpenVPN_Server_Level5_tbarth_28.p12
tls-auth OpenVPN_Server_Level5_tbarth_28-tls.key 1

Is there still something wrong here?

Re: External certificate signing failed

Posted: Mon Dec 05, 2022 7:57 pm
by tbarth
More detailed infos of the error event

data too small for key size? What the h...?

Code: Select all

[Dec 5, 2022, 20:50:13] EVENT: EPKI_ERROR External Certificate Signing Failed
[Dec 5, 2022, 20:50:13] Client exception in transport_recv_excode: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:0406B07A:rsa routines:RSA_padding_add_none:data too small for key size / error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
[Dec 5, 2022, 20:50:13] EVENT: DISCONNECTED

Re: External certificate signing failed

Posted: Tue Dec 06, 2022 1:03 pm
by ordex
Moved to the appropriate section, as I believe you meant "OpenVPN Connect v3" and not "OpenConnectv3"