A couple of years ago I successfully set up OpenVPN with a couple of road warrior clients, but I was using the legacy ("Servers") method, that is reaching the end of the line. Now I tried to set up a new VPN using the new "Instances" method, after setting up certificates.
The VPN fails, with
2025-06-03 16:54:10 VERIFY ERROR: depth=0, error=unsuitable certificate
purpose: C=NL, ST=NH, L=Amsterdam, O=#########,
emailAddress=#########, CN=######, serial=4
2025-06-03 16:54:10 OpenSSL: error:0A000086:SSL routines::certificate
verify failed
(sensitive information replaced with "########".
Any ideas of what I might be doing wrong?
Quote from: julf on June 03, 2025, 05:07:51 PMerror=unsuitable certificate
purpose
This should be the hint.
Did you assign a
server certificate?
Quote from: viragomann on June 03, 2025, 05:37:34 PMQuote from: julf on June 03, 2025, 05:07:51 PMerror=unsuitable certificate
purpose
This should be the hint.
Did you assign a server certificate?
Ummh, doesn't the client use a
client certificate?
Yes.
However, you were not clear about what you really did and where you get this error.
Quote from: viragomann on June 03, 2025, 05:37:34 PMQuote from: julf on June 03, 2025, 05:07:51 PMerror=unsuitable certificate
purpose
This should be the hint.
Did you assign a server certificate?
Ummh, doesn't the client use a
client certificate?
Quote from: viragomann on June 03, 2025, 06:18:21 PMYes.
However, you were not clear about what you really did and where you get this error.
I generated a client certificate, then set up an OpenVPN instance (actually two - one for an UDP and one for a TCP connection, just in case). I get the error on the client when I try to connect to the opnsense box.
Quote from: julf on June 03, 2025, 06:28:39 PMI generated a client certificate, then set up an OpenVPN instance
This could be a server or a client.
??
Where do you see the error??
Quote from: viragomann on June 03, 2025, 06:31:06 PMQuote from: julf on June 03, 2025, 06:28:39 PMI generated a client certificate, then set up an OpenVPN instance
This could be a server or a client.
??
Where do you see the error??
The certificate I generated was a client one. I see the error on the linux client that tries to connect to the VPN.
Which certificate is mentioned in the error message? Is it the server cert or the client cert?
Quote from: viragomann on June 03, 2025, 07:31:09 PMWhich certificate is mentioned in the error message? Is it the server cert or the client cert?
Don't know how to tell from the error message.
The error mentioned the whole cert details like common name (CN) and organisation (O). You should be able to determine which it is from this.
Quote from: viragomann on June 03, 2025, 07:31:09 PMWhich certificate is mentioned in the error message? Is it the server cert or the client cert?
Don't know how to tell from the error message.
Quote from: viragomann on June 03, 2025, 08:28:35 PMThe error mentioned the whole cert details like common name (CN) and organisation (O). You should be able to determine which it is from this.
All the certs I have generated have the same CN and O.
CNs have to be unique for each client and the server.
Quote from: viragomann on June 03, 2025, 07:31:09 PMWhich certificate is mentioned in the error message? Is it the server cert or the client cert?
Don't know how to tell from the error message.
Quote from: viragomann on June 03, 2025, 08:28:35 PMThe error mentioned the whole cert details like common name (CN) and organisation (O). You should be able to determine which it is from this.
All the certs I have generated have the same CN and O.
Quote from: viragomann on June 03, 2025, 08:48:48 PMCNs have to be unique for each client and the server.
Ah, yes, you are right, I confused C with CN. Seems it is the client cert it is complaining about.
So search for it in OPNsense > System > Trust > Certificates.
Is it shown there as "in use" by a user?
And is the purpose "clientAuth"?
Quote from: viragomann on June 03, 2025, 09:05:49 PMSo search for it in OPNsense > System > Trust > Certificates.
Is it shown there as "in use" by a user?
And is the purpose "clientAuth"?
It is shown as "in use", but only as a tick mark, not a user. The purpose is "clientAuth".
So I'm wondering, what your client is complaining about.
It says "verify failed", however, I don't expect that the client verifies its own certificate.
This would rather indicate a wrong server certificate.
But possibly you get the same error if the client cannot use the private key. Is it installed properly?
Which client software are you using?
Does it use a recent OpenSSL version?
Quote from: viragomann on June 03, 2025, 09:47:54 PMBut possibly you get the same error if the client cannot use the private key. Is it installed properly?
Depends on what "properly" means. On the client side, isn't everything in the file generated by the client export?
Quote from: viragomann on June 03, 2025, 09:47:54 PMWhich client software are you using?
Does it use a recent OpenSSL version?
OpenVPN 2.6.3, OpenSSL 3.0.16 (11 Feb 2025)