External certificate signing failed

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
tbarth
OpenVpn Newbie
Posts: 3
Joined: Mon Dec 05, 2022 1:43 pm

External certificate signing failed

Post by tbarth » Mon Dec 05, 2022 2:33 pm

Hi,

I created a certificate on my opnsense firewall for vpn connections. It contained a .ovpn, .p12 and a .key file. With these files I get a vpn connection on my linux distribution. I would like to use OpenConnect v3 on my Windows 10 too, but I get errors.

The first error message was that CA is not defined. I exported an extra ca file from my server. Then I added a line to my config file (ca my_ca_file.crt). Ok, this seems to be ok, after this modification I get the error mentioned in the subject: external certificate signing failed. Somebody could resolve this problem by putting the ca line in the middle of the config-body, but it doesnt work for me

This is my config file:

cipher AES-256-CBC
auth SHA512
client
resolv-retry infinite
remote my_server_ip 1194 udp
lport 0
verify-x509-name "C=DE, ST=NRW, L=my_city, O=Administration, emailAddress=my_email_address, CN=internal-server-crt" subject
remote-cert-tls server
comp-lzo no
ca my_ca_file.crt
pkcs12 OpenVPN_Server_Level5_tbarth_28.p12
tls-auth OpenVPN_Server_Level5_tbarth_28-tls.key 1

Is there still something wrong here?

tbarth
OpenVpn Newbie
Posts: 3
Joined: Mon Dec 05, 2022 1:43 pm

Re: External certificate signing failed

Post by tbarth » Mon Dec 05, 2022 7:57 pm

More detailed infos of the error event

data too small for key size? What the h...?

Code: Select all

[Dec 5, 2022, 20:50:13] EVENT: EPKI_ERROR External Certificate Signing Failed
[Dec 5, 2022, 20:50:13] Client exception in transport_recv_excode: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:0406B07A:rsa routines:RSA_padding_add_none:data too small for key size / error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib
[Dec 5, 2022, 20:50:13] EVENT: DISCONNECTED

User avatar
ordex
OpenVPN Inc.
Posts: 444
Joined: Wed Dec 28, 2016 2:32 am
Location: IRC #openvpn-devel @ libera.chat

Re: External certificate signing failed

Post by ordex » Tue Dec 06, 2022 1:03 pm

Moved to the appropriate section, as I believe you meant "OpenVPN Connect v3" and not "OpenConnectv3"

LozBoz
OpenVpn Newbie
Posts: 1
Joined: Sun Jul 30, 2023 12:06 pm

Re: External certificate signing failed

Post by LozBoz » Sun Jul 30, 2023 1:34 pm

I have just come across this issue and can answer.
Rather than export as an "Archive" which uses pkcs12 encryption, export as a "File" which uses an high level of encryption and then imports just fine without having to do a separate a separate certificate add as well.

If a developer sees this V3.4 just dies with a pkcs12, prehaps some traping of such use may be helpful, has taken me may hours and use of multiple clients to work out what was wrong !!

Post Reply