OpenVPN Broken

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
gavstah
Posts: 61
Joined: Wed Jun 05, 2013 11:33 pm
Location: Glen Allen, Virginia USA
Contact:

OpenVPN Broken

Post by gavstah » Sat Nov 30, 2013 12:11 am

Hi all -

Has anyone had a similar problem after installing an SSL cert for SSTP?

I have a cert issued by geotrust installed, and SSTP works great, but after installing the geotrust cert on the server, it borks the openvpn connection - tried downloading a new openvpn config after installing the geotrust cert, but it's not working.

Funny thing is, openvpn works fine with the default cert on the server that's created during server install. Just not with one issued by a CA

Any pointers in the right direction would be greatly appreciated.
Top Punkawallah
The VPN Company
http://goo.gl/iu6wG

gavstah
Posts: 61
Joined: Wed Jun 05, 2013 11:33 pm
Location: Glen Allen, Virginia USA
Contact:

Re: OpenVPN Broken

Post by gavstah » Sat Nov 30, 2013 1:02 am

Further to this, looking at the logs the connection attempt dies right here:

Nov 29 20:00:48: TLS Error: TLS object -> incoming plaintext read error
Nov 29 20:00:48: TLS Error: TLS handshake failed
Nov 29 20:00:48: SIGUSR1[soft,tls-error] received, process restarting
Top Punkawallah
The VPN Company
http://goo.gl/iu6wG

inten
Posts: 370
Joined: Fri Oct 18, 2013 8:15 am
Location: All around the world
Contact:

Re: OpenVPN Broken

Post by inten » Sat Nov 30, 2013 2:19 am

Did you add Geotrust Root CA cert? http://www.geotrust.com/resources/root-certificates/
And check your remote (config) and cert CN are the same.
When you don't like the answer, change the question.
Cheers,
Team.

VPNHPanel.com
This account is not associated to SoftEther project.

inten
Posts: 370
Joined: Fri Oct 18, 2013 8:15 am
Location: All around the world
Contact:

Re: OpenVPN Broken

Post by inten » Sat Nov 30, 2013 3:15 am

btw, in your log there should be something like:

TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Why didn't you post the full error log here but just a part of it?
When you don't like the answer, change the question.
Cheers,
Team.

VPNHPanel.com
This account is not associated to SoftEther project.

gavstah
Posts: 61
Joined: Wed Jun 05, 2013 11:33 pm
Location: Glen Allen, Virginia USA
Contact:

Re: OpenVPN Broken

Post by gavstah » Sun Dec 01, 2013 2:23 pm

CN's are the same.

But add the root cert to where? Client config file? Didn't see anywhere on the server admin to add it.
Top Punkawallah
The VPN Company
http://goo.gl/iu6wG

inten
Posts: 370
Joined: Fri Oct 18, 2013 8:15 am
Location: All around the world
Contact:

Re: OpenVPN Broken

Post by inten » Sun Dec 01, 2013 9:32 pm

SE has a problem (or a bug) working with chained certificates. Is your cert of chained type?
When you don't like the answer, change the question.
Cheers,
Team.

VPNHPanel.com
This account is not associated to SoftEther project.

gavstah
Posts: 61
Joined: Wed Jun 05, 2013 11:33 pm
Location: Glen Allen, Virginia USA
Contact:

Re: OpenVPN Broken

Post by gavstah » Mon Dec 02, 2013 1:13 pm

Hi there - thanks for your help. No, it's just a plain-jane geotrust cert.

I do see an area for the CA file in the client config file. Is this where the geotrust root cert goes?
Top Punkawallah
The VPN Company
http://goo.gl/iu6wG

inten
Posts: 370
Joined: Fri Oct 18, 2013 8:15 am
Location: All around the world
Contact:

Re: OpenVPN Broken

Post by inten » Tue Dec 03, 2013 10:14 am

Yes, client's config staring from <ca> till <ca> is a root cert.

gavstah
Posts: 61
Joined: Wed Jun 05, 2013 11:33 pm
Location: Glen Allen, Virginia USA
Contact:

Re: OpenVPN Broken

Post by gavstah » Tue Dec 03, 2013 4:21 pm

I have the geotrust global ca in there now in addition to the server generated cert - see screenshot at http://screencast.com/t/cawy22pNVk5I

But I get this error trying to connect:

VERIFY ERROR: depth=0, error=unable to get local issuer certificate: . . . . .
Dec 03 10:51:28: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Do both certs need to be in inline format? Any ideas?
Top Punkawallah
The VPN Company
http://goo.gl/iu6wG

inten
Posts: 370
Joined: Fri Oct 18, 2013 8:15 am
Location: All around the world
Contact:

Re: OpenVPN Broken

Post by inten » Tue Dec 03, 2013 10:04 pm

Replace <ca>...<ca> with the next string:

ca your_root_cert_bundle_in_pem_format and write back with the log result.

Post Reply