OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: blackhiden on February 02, 2019, 09:36:16 am

Title: OpenVPN error SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Post by: blackhiden on February 02, 2019, 09:36:16 am

Hello,
I'm new guy on OPNsense. Last night, I configured OpenVPN server on OPNsense.

Here my specification -
name: openvpn_server
server mode: remote access (ssl/tls user auth)
backend auth: local database
proto: UDP
iface: WAN
dev mode: tun
port: 1194
tls auth: no
dh: 2048
ca: ca
server cert: server (2048, SHA1)
encription algo: AES - 128 -CBC
digest algo: SHA1 (160 bit)
cert depth: one (client + server)
ip tun: 10.0.8.0/24
compression: no
ipv6: no
verb: 3

client specification:
digest algo: sha1
ca: ca
client cert: client (2048, sha1)
===openvpn config file===
dev tun
persist-tun
persist-key
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote server.com udp
verify-x509-name "ovpn-server" name
auth-user-pass
verb 3

when I connected to server, I see log SSL3_GET_SERVER_CERTIFICATE:certificate verify failed and OpenVPN disconnected.

I tried to delete and create. but still same.

Any idea?

Thank you.
God bless.

Title: Re: OpenVPN error SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Post by: blackhiden on February 02, 2019, 10:25:51 am

since I can login to shell, here my configuration file (server):

dev ovpns1
verb 3
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
auth SHA1
up /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkup
down /usr/local/etc/inc/plugins.inc.d/openvpn/ovpn-linkdown
local (my public ip)
client-disconnect "/usr/local/etc/inc/plugins.inc.d/openvpn/attributes.sh server1"
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/1
auth-user-pass-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify user 'Local Database' 'false' 'server1'" via-env
tls-verify "/usr/local/etc/inc/plugins.inc.d/openvpn/ovpn_auth_verify tls 'server' 1"
lport 1194
management /var/etc/openvpn/server1.sock unix
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /usr/local/etc/dh-parameters.2048.sample
tls-auth /var/etc/openvpn/server1.tls-auth 0
comp-lzo no
persist-remote-ip
float
topology subnet

Title: Re: OpenVPN error SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Post by: franco on February 04, 2019, 12:03:09 pm

Hi,

There seems to be a mismatch between the expected certificate and the given one, or chain is incomplete, or... there's no way to tell from the config.


Cheers,
Franco