[Solved] After renewal of an expired certificate I got : VERIFY ERROR: depth=0, error=self signed certificate
Posted: Tue Sep 26, 2023 1:29 pm
Hello everyone,
First sorry for my english it's not my first language.
Thank in advance if you take time to read my post.
We have a OpenVPN Server on a Centos 6.9 machine. I know it's old but we work to replace it eventually.
The certificates of this server expired this week. I tried to renew it but it seem that's not working anymore with the clients.
This is configuration of the server that was made by a colleague who's don't work with us anymore.
port 1194
proto tcp-server
dev tun
ca keys/organization/ca.crt
cert keys/organization/organizationserver.crt
key keys/organization/organizationserver.key
dh keys/organization/dh2048.pem
server 13.67.0.0 255.255.255.0
crl-verify keys/organization/crl.pem
ifconfig-pool-persist servers/organizationVPN/logs/ipp.txt
user nobody
group nobody
status servers/organizationVPN/logs/openvpn-status.log
log-append servers/organizationVPN/logs/openvpn.log
verb 4
mute 20
max-clients 150
tun-mtu 1500
local 192.168.234.10
management 127.0.0.1 8876
keepalive 5 30
client-config-dir /etc/openvpn/servers/organizationVPN/ccd
tls-server
comp-lzo
persist-key
This is the procedure I followed to renew the certificates :
The verification is ok
After I'm not sure if what I have done is right. 
After I changed the configuration for the new certificates and restart OpenVPN
ca keys/organization/ca_new.crt
cert keys/organization/organizationserver_new.crt
On the client side, the message for an expired certificate switched for a self-signed certificate.
[olog]
Tue Sep 26 09:11:58 2023 VERIFY ERROR: depth=0, error=self signed certificate: C=US, ST=NY, L=New York, O=My Org, OU=Office, CN=organizationserver, emailAddress=me@my.org
Tue Sep 26 09:11:58 2023 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Tue Sep 26 09:11:58 2023 TLS_ERROR: BIO read tls_read_plaintext error
Tue Sep 26 09:11:58 2023 TLS Error: TLS object -> incoming plaintext read error
Tue Sep 26 09:11:58 2023 TLS Error: TLS handshake failed
Tue Sep 26 09:11:58 2023 Fatal TLS error (check_tls_errors_co), restarting
[/olog]
I passed too much time trying to solve this problem. Please, if someone have an idea of what can be done, i'll be grateful.
Thanks alot
First sorry for my english it's not my first language.
Thank in advance if you take time to read my post.
We have a OpenVPN Server on a Centos 6.9 machine. I know it's old but we work to replace it eventually.
The certificates of this server expired this week. I tried to renew it but it seem that's not working anymore with the clients.
This is configuration of the server that was made by a colleague who's don't work with us anymore.
Server Config
port 1194
proto tcp-server
dev tun
ca keys/organization/ca.crt
cert keys/organization/organizationserver.crt
key keys/organization/organizationserver.key
dh keys/organization/dh2048.pem
server 13.67.0.0 255.255.255.0
crl-verify keys/organization/crl.pem
ifconfig-pool-persist servers/organizationVPN/logs/ipp.txt
user nobody
group nobody
status servers/organizationVPN/logs/openvpn-status.log
log-append servers/organizationVPN/logs/openvpn.log
verb 4
mute 20
max-clients 150
tun-mtu 1500
local 192.168.234.10
management 127.0.0.1 8876
keepalive 5 30
client-config-dir /etc/openvpn/servers/organizationVPN/ccd
tls-server
comp-lzo
persist-key
This is the procedure I followed to renew the certificates :
Code: Select all
sudo openssl x509 -in /etc/openvpn/keys/organization/ca.crt -days 36500 -out /etc/openvpn/keys/organization/ca_new.crt -signkey /etc/openvpn/keys/organization/ca.key
Code: Select all
sudo openssl verify -CAfile /etc/openvpn/keys/organization/ca_new.crt /etc/openvpn/clients/organizationVPN/vpn-client1/vpn-client1.crt
/etc/openvpn/clients/organizationVPN/vpn-client1/vpn-client1.crt: OK
Code: Select all
sudo openssl x509 -req -in /etc/openvpn/keys/organization/organizationserver.csr -CA /etc/openvpn/keys/organization/organizationserver.crt -CAkey /etc/openvpn/keys/organization/organizationserver.key -CAcreateserial -out /etc/openvpn/keys/organization/organizationserver_new.crt -days 36500
Config changes
ca keys/organization/ca_new.crt
cert keys/organization/organizationserver_new.crt
On the client side, the message for an expired certificate switched for a self-signed certificate.
[olog]
Tue Sep 26 09:11:58 2023 VERIFY ERROR: depth=0, error=self signed certificate: C=US, ST=NY, L=New York, O=My Org, OU=Office, CN=organizationserver, emailAddress=me@my.org
Tue Sep 26 09:11:58 2023 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Tue Sep 26 09:11:58 2023 TLS_ERROR: BIO read tls_read_plaintext error
Tue Sep 26 09:11:58 2023 TLS Error: TLS object -> incoming plaintext read error
Tue Sep 26 09:11:58 2023 TLS Error: TLS handshake failed
Tue Sep 26 09:11:58 2023 Fatal TLS error (check_tls_errors_co), restarting
[/olog]
I passed too much time trying to solve this problem. Please, if someone have an idea of what can be done, i'll be grateful.
Thanks alot