OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: Taomyn on September 05, 2016, 05:03:44 pm

Title: Help with OpenVPN and StartCom SSL certificates
Post by: Taomyn on September 05, 2016, 05:03:44 pm

Can anyone help me figure out how to get my Class 2 StartCom SSL certificate to work with the OpenVPN server? I know it should work because I was able to use it before with my previous firewall.


I originally tried with an internal certificate following both the directions of the main site documentation and also the server wizard, but with both the client which in my case is "OpenVPN for Android, failed during the TLS verification. I double checked the firewall rules and could not see why it kept failing. So I decided to switch to try using my main wildcard certificate.


Now I get this on the server:

Quote

Sep 5 16:44:11    openvpn[52967]: 194.154.219.70:28826 TLS Error: TLS handshake failed
Sep 5 16:44:11    openvpn[52967]: 194.154.219.70:28826 TLS Error: TLS object -> incoming plaintext read error
Sep 5 16:44:11    openvpn[52967]: 194.154.219.70:28826 TLS_ERROR: BIO read tls_read_plaintext error
Sep 5 16:44:11    openvpn[52967]: 194.154.219.70:28826 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Sep 5 16:44:11    openvpn[52967]: 194.154.219.70:28826 VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority
Sep 5 16:15:10    openvpn[52967]: 194.154.219.70:27635 TLS Error: TLS handshake failed
Sep 5 16:15:10    openvpn[52967]: 194.154.219.70:27635 TLS Error: TLS object -> incoming plaintext read error
Sep 5 16:15:10    openvpn[52967]: 194.154.219.70:27635 TLS_ERROR: BIO read tls_read_plaintext error
Sep 5 16:15:10    openvpn[52967]: 194.154.219.70:27635 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Sep 5 16:15:10    openvpn[52967]: 194.154.219.70:27635 VERIFY ERROR: depth=2, error=self signed certificate in certificate chain: C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority

I checked under "System, Trust, Authorities" and the two certificates in the chain "OU=StartCom Certification Authority, O=StartCom Ltd., CN=StartCom Class 2 IV Server CA, C=IL" and "OU=Secure Digital Certificate Signing, O=StartCom Ltd., CN=StartCom Certification Authority, C=IL" are present, though for the second one it's reported issuer is "self-signed" which is odd.

Title: Re: Help with OpenVPN and StartCom SSL certificates
Post by: fabian on September 06, 2016, 02:23:53 pm

I am using a self signed CA for that (should be in System > Trust). This CA signs a server certificate for the OpenVPN Server and at least one client certificate. After you set up the server you can download a configuration file generated for your client to use it with the server. This usually works. I did never use the wizard to create it. Can you retry it without the wizard?

Kind regards,

Fabian

Title: Re: Help with OpenVPN and StartCom SSL certificates
Post by: Taomyn on September 06, 2016, 04:07:33 pm

Quote from: fabian on September 06, 2016, 02:23:53 pm

I am using a self signed CA for that (should be in System > Trust). This CA signs a server certificate for the OpenVPN Server and at least one client certificate. After you set up the server you can download a configuration file generated for your client to use it with the server. This usually works. I did never use the wizard to create it. Can you retry it without the wizard?

Kind regards,

Fabian

That's how I did it the first time following the directions from the online docs. I only tried the wizard after it first failed, but the current setup I have was again done manually.