OpenVPN Broken
-
- Posts: 61
- Joined: Wed Jun 05, 2013 11:33 pm
- Location: Glen Allen, Virginia USA
- Contact:
OpenVPN Broken
Hi all -
Has anyone had a similar problem after installing an SSL cert for SSTP?
I have a cert issued by geotrust installed, and SSTP works great, but after installing the geotrust cert on the server, it borks the openvpn connection - tried downloading a new openvpn config after installing the geotrust cert, but it's not working.
Funny thing is, openvpn works fine with the default cert on the server that's created during server install. Just not with one issued by a CA
Any pointers in the right direction would be greatly appreciated.
Has anyone had a similar problem after installing an SSL cert for SSTP?
I have a cert issued by geotrust installed, and SSTP works great, but after installing the geotrust cert on the server, it borks the openvpn connection - tried downloading a new openvpn config after installing the geotrust cert, but it's not working.
Funny thing is, openvpn works fine with the default cert on the server that's created during server install. Just not with one issued by a CA
Any pointers in the right direction would be greatly appreciated.
-
- Posts: 61
- Joined: Wed Jun 05, 2013 11:33 pm
- Location: Glen Allen, Virginia USA
- Contact:
Re: OpenVPN Broken
Further to this, looking at the logs the connection attempt dies right here:
Nov 29 20:00:48: TLS Error: TLS object -> incoming plaintext read error
Nov 29 20:00:48: TLS Error: TLS handshake failed
Nov 29 20:00:48: SIGUSR1[soft,tls-error] received, process restarting
Nov 29 20:00:48: TLS Error: TLS object -> incoming plaintext read error
Nov 29 20:00:48: TLS Error: TLS handshake failed
Nov 29 20:00:48: SIGUSR1[soft,tls-error] received, process restarting
-
- Posts: 370
- Joined: Fri Oct 18, 2013 8:15 am
- Location: All around the world
- Contact:
Re: OpenVPN Broken
Did you add Geotrust Root CA cert? http://www.geotrust.com/resources/root-certificates/
And check your remote (config) and cert CN are the same.
And check your remote (config) and cert CN are the same.
When you don't like the answer, change the question.
Cheers,
Team.
VPNHPanel.com
This account is not associated to SoftEther project.
Cheers,
Team.
VPNHPanel.com
This account is not associated to SoftEther project.
-
- Posts: 370
- Joined: Fri Oct 18, 2013 8:15 am
- Location: All around the world
- Contact:
Re: OpenVPN Broken
btw, in your log there should be something like:
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Why didn't you post the full error log here but just a part of it?
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Why didn't you post the full error log here but just a part of it?
When you don't like the answer, change the question.
Cheers,
Team.
VPNHPanel.com
This account is not associated to SoftEther project.
Cheers,
Team.
VPNHPanel.com
This account is not associated to SoftEther project.
-
- Posts: 61
- Joined: Wed Jun 05, 2013 11:33 pm
- Location: Glen Allen, Virginia USA
- Contact:
Re: OpenVPN Broken
CN's are the same.
But add the root cert to where? Client config file? Didn't see anywhere on the server admin to add it.
But add the root cert to where? Client config file? Didn't see anywhere on the server admin to add it.
-
- Posts: 370
- Joined: Fri Oct 18, 2013 8:15 am
- Location: All around the world
- Contact:
Re: OpenVPN Broken
SE has a problem (or a bug) working with chained certificates. Is your cert of chained type?
When you don't like the answer, change the question.
Cheers,
Team.
VPNHPanel.com
This account is not associated to SoftEther project.
Cheers,
Team.
VPNHPanel.com
This account is not associated to SoftEther project.
-
- Posts: 61
- Joined: Wed Jun 05, 2013 11:33 pm
- Location: Glen Allen, Virginia USA
- Contact:
Re: OpenVPN Broken
Hi there - thanks for your help. No, it's just a plain-jane geotrust cert.
I do see an area for the CA file in the client config file. Is this where the geotrust root cert goes?
I do see an area for the CA file in the client config file. Is this where the geotrust root cert goes?
-
- Posts: 370
- Joined: Fri Oct 18, 2013 8:15 am
- Location: All around the world
- Contact:
Re: OpenVPN Broken
Yes, client's config staring from <ca> till <ca> is a root cert.
-
- Posts: 61
- Joined: Wed Jun 05, 2013 11:33 pm
- Location: Glen Allen, Virginia USA
- Contact:
Re: OpenVPN Broken
I have the geotrust global ca in there now in addition to the server generated cert - see screenshot at http://screencast.com/t/cawy22pNVk5I
But I get this error trying to connect:
VERIFY ERROR: depth=0, error=unable to get local issuer certificate: . . . . .
Dec 03 10:51:28: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Do both certs need to be in inline format? Any ideas?
But I get this error trying to connect:
VERIFY ERROR: depth=0, error=unable to get local issuer certificate: . . . . .
Dec 03 10:51:28: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Do both certs need to be in inline format? Any ideas?
-
- Posts: 370
- Joined: Fri Oct 18, 2013 8:15 am
- Location: All around the world
- Contact:
Re: OpenVPN Broken
Replace <ca>...<ca> with the next string:
ca your_root_cert_bundle_in_pem_format and write back with the log result.
ca your_root_cert_bundle_in_pem_format and write back with the log result.