Hi,
My first try failed when open the client to connect my server.
Server and the client are both running 2.3.6. Keys are created using easyrsk tool acoording
to its documents.
Server starts up normall (showing Initialization Sequence Completed)
Client failed in connecting:
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Re-using SSL/TLS context
LZO compression initialized
Control Channel MTU parms [ L:1544 D:140 EF:40 EB:0 ET:0 EL:0 ]
Socket Buffers: R=[87380->131072] S=[16384->131072]
Data Channel MTU parms [ L:1544 D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ]
Local Options String: ‘V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client’
Expected Remote Options String: ‘V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server’
Local Options hash (VER=V4): ‘69109d17’
Expected Remote Options hash (VER=V4): ‘c0103fa8’
Attempting to establish TCP connection with [AF_INET]59.37.26.98:9005 [nonblock]
TCP connection established with [AF_INET]59.37.26.98:9005
TCPv4_CLIENT link local: [undef]
TCPv4_CLIENT link remote: [AF_INET]59.37.26.98:9005
TLS: Initial packet from [AF_INET]59.37.26.98:9005, sid=a9f7fc71 d6c98d10
VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=lg_server_dc1
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Fatal TLS error (check_tls_errors_co), restarting
TCP/UDP: Closing socket
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 5 second(s)
Server config:
cd /etc/openvpn
ort 9090
proto tcp
dev tun
ca certs/ca.crt
cert certs/lg_server_dc1.crt
key keys/lg_server_dc1.key # This file should be kept secret
dh dh.pem
server 10.11.27.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 5
Client config:
cd /etc/openvpn
client
dev tun
proto tcp
remote 1.2.3.4 9090
resolv-retry infinite
nobind
persist-key
persist-tun
ca certs/ca.crt
cert certs/lg_cp978.crt
key keys/lg_cp978.key
comp-lzo
verb 4
Could you please have look at my case and guess what’ s the possible cause? Thanks in advance!
-woody
OpenVPN fails at this error
Thu Jun 13 10:27:52 2019 us=490780 ###.###.###.###:52064 Incoming Ciphertext -> TLS
Thu Jun 13 10:27:52 2019 us=491055 ###.###.###.###:52064 VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=client
Thu Jun 13 10:27:52 2019 us=491111 ###.###.###.###:52064 SSL alert (write): fatal: unsupported certificate
(more of the log on https://pastebin.com/qjY83e7G )
Server config
#server
port 443
proto tcp
dev tap0
ca /etc/openvpn/ca.crt
cert /etc/openvpn/issued/server.crt
key /etc/openvpn/private/server.key
dh /etc/openvpn/dh.pem
server 10.98.0.0 255.255.0.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
tls-server
tls-auth /etc/openvpn/ta.key 0
cipher AES-256-CBC
comp-lzo
#user nobody
#group nobody
persist-key
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 9
explicit-exit-notify 0
auth sha512
remote-cert-tls client
duplicate-cn
Client config
client
dev tap0
proto tcp
remote ########
resolv-retry infinite
#nobind
comp-lzo
persist-key
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 9
key-direction 1
cipher AES-256-CBC
auth sha512
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
dh /etc/openvpn/dh.pem
tls-client
tls-auth /etc/openvpn/ta.key 1
remote-cert-tls server
#script-security 2
#up /zpi/onVpnUp.sh
Googling the error led me to this EasyRSA vars setting
# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
# is "no" to discourage use of deprecated extensions. If you require this
# feature to use with --ns-cert-type, set this to "yes" here. This support
# should be replaced with the more modern --remote-cert-tls feature. If you do
# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
# this defined to "no". When set to "yes", server-signed certs get the
# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
# nsComment field.
#set_var EASYRSA_NS_SUPPORT "no"
But reading the comment, it should be set ‘yes’ only when using ns-cert-type (which I don’t have in my config), not when using remote-cert-tls (which I do)
Where am I wrong?
edit:
Tried recalculating certificate files with EASYRSA_NS_SUPPORT and I am still getting this error.
EDIT: I’m really sorry to have to say that the problem has magically fixed itself and I have no idea why. In response to one of the answers, I removed all EKU from the CA chain and it didn’t work. After coming back from vacation, I created the cert chain 1 at a time, ie. RootCA->VPN then RootCA->IntermediateCA->VPN and, finally, RootCA->IntermediateCA->ServerCA->VPN and it still worked! I have no idea why it was working but I was thrilled. Just to make absolutely sure that it was the removal of the EKU that solved it, I went back and added random EKU to CAs in the chain and, lo and behold, it still works…. This is absolutely infuriating and I apologize to all the people who tried to help. I swear, absolutely nothing else has changed and no one touched anything in my absence.
END EDIT
When trying to connect an OpenVPN client (Android or Windows 7/10) to my test server, I receive the following error:
VERIFY ERROR: depth=1, error=unsupported certificate purpose: C=CA, ST=QC, L=Montreal, O=Company Inc, OU=PKI, CN=Server Certificate Authority
I am running OpenVPN 2.3.7 on OpenBSD. I am using the following PKI CA hierarchy created using XCA:
RootCA -> IntermediateCA -> ServerCA
I created a certificate for my VPN server that is signed by my ServerCA. Please note the depth=1. This doesn’t seem to be an issue with the final VPN Server certificate. OpenVPN is complaining about the issuer of the VPN server certificate. Even the CN in the error message is that of ServerCA NOT of the vpn server.
As far as I have been able to determine, there is no requirement for a CA in the chain to have any other purpose than signing certificates.
Here is the VPN server’s certificate’s configuration. Note that the old Netscape server extension is there, as required by OpenVPN:
nsCertType=server, email
extendedKeyUsage=serverAuth, nsSGC, ipsecEndSystem, iKEIntermediate
keyUsage=digitalSignature, keyEncipherment, dataEncipherment, keyAgreement
authorityKeyIdentifier=keyid, issuer
subjectKeyIdentifier=hash
basicConstraints=CA:FALSE
Here is the issuing CA’s certificate’s configuration:
crlDistributionPoints=crlDistributionPoint0_sect
extendedKeyUsage=critical,OCSPSigning
keyUsage=critical,keyCertSign, cRLSign
authorityKeyIdentifier=keyid, issuer
subjectKeyIdentifier=hash
basicConstraints=critical,CA:TRUE,pathlen:0
[crlDistributionPoint0_sect]
fullname=URI:http://pki.company.ca/server.crl
I tried adding nsCertType=server to the ServerCA but there was no change.
I have also seen endless forum posts where people forgot to add the nsCertType extension and received an error similar to mine but with depth=0 instead. In my case, the server’s certificate seems to be fine.
Can anyone tell me why OpenVPN cares what a CA up the chain is permitted to do (other than signing certs, obviously)? How can I see what «certificate purpose» the client was expecting? How can I get OpenVPN to accept the certificate chain?
As requested, here is the VPN Server’s certificate:
$ openssl x509 -noout -text -in vpn-server.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: sha512WithRSAEncryption
Issuer: C=CA, ST=QC, L=Montreal, O=Company Inc, OU=PKI, CN=Server Certificate Authority
Validity
Not Before: Jun 21 17:58:00 2016 GMT
Not After : Jun 21 17:58:00 2021 GMT
Subject: C=CA, ST=QC, L=Montreal, O=Company Inc, OU=VPN, CN=vpn.company.ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
**:**:**:**:**:**:**:**
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
A9:EF:EB:8B:68:E2:5F:0A:5D:FC:8A:39:7D:59:BE:21:75:2A:CB:8E
X509v3 Authority Key Identifier:
keyid:60:F3:33:2C:F7:13:09:F8:5C:3C:B2:D1:0B:9D:7D:9E:86:6A:24:41
DirName:/C=CA/ST=QC/L=Montreal/O=Company Inc/OU=PKI/CN=Intermediate Certificate Authority
serial:03
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
X509v3 Extended Key Usage:
TLS Web Server Authentication, Netscape Server Gated Crypto, IPSec End System, 1.3.6.1.5.5.8.2.2
Netscape Cert Type:
SSL Server, S/MIME
Signature Algorithm: sha512WithRSAEncryption
**:**:**:**:**:**:**:**
And here is the issuer’s certificate:
$ openssl x509 -noout -text -in server-ca.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: sha512WithRSAEncryption
Issuer: C=CA, ST=QC, L=Montreal, O=Company Inc, OU=PKI, CN= Intermediate Certificate Authority
Validity
Not Before: Jun 21 17:57:00 2016 GMT
Not After : Jun 21 17:57:00 2026 GMT
Subject: C=CA, ST=QC, L=Montreal, O=Company Inc, OU=PKI, CN= Server Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
**:**:**:**:**:**:**:**
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
60:F3:33:2C:F7:13:09:F8:5C:3C:B2:D1:0B:9D:7D:9E:86:6A:24:41
X509v3 Authority Key Identifier:
keyid:09:26:2E:AB:F4:C1:53:E1:10:11:DE:25:2D:20:D5:76:27:A9:FF:23
DirName:/C=CA/ST=QC/L=Montreal/O=Company Inc/OU=PKI/CN=Root Certificate Authority
serial:02
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage: critical
OCSP Signing
X509v3 CRL Distribution Points:
Full Name:
URI:http://pki.company.ca/server.crl
Signature Algorithm: sha512WithRSAEncryption
**:**:**:**:**:**:**:**
When I try to verify a CMS signature with openssl with the following command I get a verify error unsupported certificate purpose. Do I miss something here?
I’m using the windows version of openssl 1.1.1l.
> .openssl.exe version
OpenSSL 1.1.1l 24 Aug 2021
> .openssl.exe cms -verify -inform pem -certfile .RootCASigned.pem.18-11-2021_084313.pem -content .Demo.txt -in .Demo.txt.attached.sig -CAfile .cacertscacert.pem
Verification failure
36056:error:2E099064:CMS routines:cms_signerinfo_verify_cert:certificate verify error:..cryptocmscms_smime.c:253:Verify error:unsupported certificate purpose
The certificates involved use pretty common key usage and extended key usage settings.
The result is the same for self signed or CA signed certificates.
The CMS signature was created with SignedCms of the .Net Framework. Basically the result of signedCms.ComputeSignature(signer);.
It was created in attached mode, putting the hash into the signature. But it does not make a difference for the result.
Here are the parts involved in this command. Sadly I can’t attach pem and sig files, so I pasted them here:
CMS Signature:
https://lapo.it/asn1js/#MIIHQgYJKoZIhvcNAQcCoIIHMzCCBy8CAQMxDTALBglghkgBZQMEAgEwLwYJKoZIhvcNAQcFoCIEIGTsiMoAsmjluho1Z4obUxbSEvTzZrJHcjJTSorso388oIIEzTCCBMkwggKxoAMCAQICAQIwDQYJKoZIhvcNAQELBQAwgZwxCzAJBgNVBAYTAkFUMRAwDgYDVQQIDAdBdXN0cmlhMQ8wDQYDVQQHDAZWaWVubmExFDASBgNVBAoMC1NpZ25QYXRoLmlvMRAwDgYDVQQLDAdUZWFtIEZTMR4wHAYDVQQDDBVTaWduUGF0aCBUZXN0IFJvb3QgQ0ExIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAc2lnbnBhdGguaW8wIBcNMjExMTE4MDc0NDM0WhgPMjEyMTEwMjUwNzQ0MzRaMDcxNTAzBgNVBAMeLABTAEkARwBOAC0ANAA1ADkAMQBfAFIAbwBvAHQAQwBhAFMAaQBnAG4AZQBkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwgHq_o0zv3VdaL7zJ3r8RYEioZA1CljLrEvlPqt2sDisMqqzIlLKAgXd1dRAb9QCDeTVUfTNkQxVqEVjFNgjt4hXWTj0KoneV6rZd2w6L6S_bpSheZTJohYyAGO4ShzYNRECVhNdLqol-z_1QFPct5EtkLFOEjiloA72Vhm66BwrWQxPCjMS5NqG-u4P39Xm0j1pj6czCCbp-PZHo8eK4B3UqDawudHdkTn3TTEzbsyoJCGptLUJW1A1DGID-TC7NyPYefkvCn6hqsXoh4kMmLPJs_ddjy1ceHUIwE1h4QTpLXnY_gftNtxNaLHPq3ojrVKZKavNF4UKLKJktDxH7QIDAQABo3gwdjAdBgNVHQ4EFgQUaae5-S7FYt6yIlIADYEVBBvaKScwHwYDVR0jBBgwFoAUVrNP_yKgEScOiznHhBTVm4OfNBMwDAYDVR0TAQH_BAIwADAOBgNVHQ8BAf8EBAMCB4AwFgYDVR0lAQH_BAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggIBABQWxT349hfzEWXprR8PoDUTjrZCI75cfr48SXKykC9sOu-CVasnAleWsOu1OQhg35RbLYx_XJtBseV7yxMy4N2h7w39kw_Q_-ZVDASIk8C1liZplFsOMA1tMqXZmZMNwvq4tyx4-i0kTDVA2c3XOW-OB8R1gxiJMesz1zVnvpOLvKbOWvbHFCt4fu4ihYZQ7EWORAZTNJpnlwaH5QGG9tJ2NSOTjsTgQ6ftzhjGcRHhaGXHCzJarvpkueIGnrWT-OyZzBxigE1t2Pzruw1NJYbU24NaeSbMQ7k6lcxg5m2eG2xLhgDaANLnb3klPcenR_Hss8YWnIkK1PJnzkZ8NhZSktA66LXChuc7ZMlE54WEC-LFq5OYae0qun1GI3jqqw46oxuVSj1bxc8NsVbp6BTw2r-knMyX_6lOw8wwVXhcknUn5u2SZ1YRZQsJJqkv8iGuDPxk9QGGAM6erkGQu6SvNXTmMbw9vePyxhagvylIJ6vb2LRTYOwxM24o5rZz0j1e1EVB_wN2Z9YSU0QS2oziocwOykvlqrFVCE1Lqeo31csKOk8Sw0fcWhGagzuvIp95kb2vwS-z7hCZP4DVgkHO-fgrIXnkY3PEJwYySjq1TD4wjOgws4-0m-juznKBEDSnp1kTFodPNJgOg0_zsG2Y_Pl-mi8ygMWyBQZcC_72MYICFzCCAhMCAQEwgaIwgZwxCzAJBgNVBAYTAkFUMRAwDgYDVQQIDAdBdXN0cmlhMQ8wDQYDVQQHDAZWaWVubmExFDASBgNVBAoMC1NpZ25QYXRoLmlvMRAwDgYDVQQLDAdUZWFtIEZTMR4wHAYDVQQDDBVTaWduUGF0aCBUZXN0IFJvb3QgQ0ExIjAgBgkqhkiG9w0BCQEWE3N1cHBvcnRAc2lnbnBhdGguaW8CAQIwCwYJYIZIAWUDBAIBoEswGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHBTAvBgkqhkiG9w0BCQQxIgQg9txyTRGWSUYOR85xkTnlIeCCvoqXVcW-zhgd4EbuZf4wCwYJKoZIhvcNAQEBBIIBAETwVmJKBMnyHWZHhnQU30jiCoAwKbOc-BdBfiNPmIn9VpwcDt-uEQHbGEVlbSKHB2CdE98A0QKBxrAQBwlK3Ugr_7C3SgqNs3oxUy00D2bnmKBSBuZxw6QTElK9CBWURQMdK5MoZerdeOEJq2pOOIzej1xAgtZhM5nozt8a8sy9KV4b7jUmHr0Bvl6fbg8I8J0pG9SA-cjNBXvTVtktalFjciGn7nqp7uIMhO3MqGENoGonC3SxxMtJ4_yIBfXNwDwkO1unDHJs0Sgl4DAiGbMJMezm_ckYJM3EC26qyJJIRxEExLDdHbgheeHIbEw_q9s_MOKLcI9E-iAyOFBOoao
Signing certificate:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = AT, ST = Austria, L = Vienna, O = SignPath.io, OU = Team FS, CN = SignPath Test Root CA, emailAddress = support@signpath.io
Validity
Not Before: Nov 18 07:44:34 2021 GMT
Not After : Oct 25 07:44:34 2121 GMT
Subject: CN = SIGN-4591_RootCaSigned
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c2:01:ea:fe:8d:33:bf:75:5d:68:be:f3:27:7a:
fc:45:81:22:a1:90:35:0a:58:cb:ac:4b:e5:3e:ab:
76:b0:38:ac:32:aa:b3:22:52:ca:02:05:dd:d5:d4:
40:6f:d4:02:0d:e4:d5:51:f4:cd:91:0c:55:a8:45:
63:14:d8:23:b7:88:57:59:38:f4:2a:89:de:57:aa:
d9:77:6c:3a:2f:a4:bf:6e:94:a1:79:94:c9:a2:16:
32:00:63:b8:4a:1c:d8:35:11:02:56:13:5d:2e:aa:
25:fb:3f:f5:40:53:dc:b7:91:2d:90:b1:4e:12:38:
a5:a0:0e:f6:56:19:ba:e8:1c:2b:59:0c:4f:0a:33:
12:e4:da:86:fa:ee:0f:df:d5:e6:d2:3d:69:8f:a7:
33:08:26:e9:f8:f6:47:a3:c7:8a:e0:1d:d4:a8:36:
b0:b9:d1:dd:91:39:f7:4d:31:33:6e:cc:a8:24:21:
a9:b4:b5:09:5b:50:35:0c:62:03:f9:30:bb:37:23:
d8:79:f9:2f:0a:7e:a1:aa:c5:e8:87:89:0c:98:b3:
c9:b3:f7:5d:8f:2d:5c:78:75:08:c0:4d:61:e1:04:
e9:2d:79:d8:fe:07:ed:36:dc:4d:68:b1:cf:ab:7a:
23:ad:52:99:29:ab:cd:17:85:0a:2c:a2:64:b4:3c:
47:ed
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
69:A7:B9:F9:2E:C5:62:DE:B2:22:52:00:0D:81:15:04:1B:DA:29:27
X509v3 Authority Key Identifier:
keyid:56:B3:4F:FF:22:A0:11:27:0E:8B:39:C7:84:14:D5:9B:83:9F:34:13
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage: critical
Code Signing
Signature Algorithm: sha256WithRSAEncryption
14:16:c5:3d:f8:f6:17:f3:11:65:e9:ad:1f:0f:a0:35:13:8e:
b6:42:23:be:5c:7e:be:3c:49:72:b2:90:2f:6c:3a:ef:82:55:
ab:27:02:57:96:b0:eb:b5:39:08:60:df:94:5b:2d:8c:7f:5c:
9b:41:b1:e5:7b:cb:13:32:e0:dd:a1:ef:0d:fd:93:0f:d0:ff:
e6:55:0c:04:88:93:c0:b5:96:26:69:94:5b:0e:30:0d:6d:32:
a5:d9:99:93:0d:c2:fa:b8:b7:2c:78:fa:2d:24:4c:35:40:d9:
cd:d7:39:6f:8e:07:c4:75:83:18:89:31:eb:33:d7:35:67:be:
93:8b:bc:a6:ce:5a:f6:c7:14:2b:78:7e:ee:22:85:86:50:ec:
45:8e:44:06:53:34:9a:67:97:06:87:e5:01:86:f6:d2:76:35:
23:93:8e:c4:e0:43:a7:ed:ce:18:c6:71:11:e1:68:65:c7:0b:
32:5a:ae:fa:64:b9:e2:06:9e:b5:93:f8:ec:99:cc:1c:62:80:
4d:6d:d8:fc:eb:bb:0d:4d:25:86:d4:db:83:5a:79:26:cc:43:
b9:3a:95:cc:60:e6:6d:9e:1b:6c:4b:86:00:da:00:d2:e7:6f:
79:25:3d:c7:a7:47:f1:ec:b3:c6:16:9c:89:0a:d4:f2:67:ce:
46:7c:36:16:52:92:d0:3a:e8:b5:c2:86:e7:3b:64:c9:44:e7:
85:84:0b:e2:c5:ab:93:98:69:ed:2a:ba:7d:46:23:78:ea:ab:
0e:3a:a3:1b:95:4a:3d:5b:c5:cf:0d:b1:56:e9:e8:14:f0:da:
bf:a4:9c:cc:97:ff:a9:4e:c3:cc:30:55:78:5c:92:75:27:e6:
ed:92:67:56:11:65:0b:09:26:a9:2f:f2:21:ae:0c:fc:64:f5:
01:86:00:ce:9e:ae:41:90:bb:a4:af:35:74:e6:31:bc:3d:bd:
e3:f2:c6:16:a0:bf:29:48:27:ab:db:d8:b4:53:60:ec:31:33:
6e:28:e6:b6:73:d2:3d:5e:d4:45:41:ff:03:76:67:d6:12:53:
44:12:da:8c:e2:a1:cc:0e:ca:4b:e5:aa:b1:55:08:4d:4b:a9:
ea:37:d5:cb:0a:3a:4f:12:c3:47:dc:5a:11:9a:83:3b:af:22:
9f:79:91:bd:af:c1:2f:b3:ee:10:99:3f:80:d5:82:41:ce:f9:
f8:2b:21:79:e4:63:73:c4:27:06:32:4a:3a:b5:4c:3e:30:8c:
e8:30:b3:8f:b4:9b:e8:ee:ce:72:81:10:34:a7:a7:59:13:16:
87:4f:34:98:0e:83:4f:f3:b0:6d:98:fc:f9:7e:9a:2f:32:80:
c5:b2:05:06:5c:0b:fe:f6
Test Root CA:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
e3:65:80:c2:f7:f6:ce:de
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = AT, ST = Austria, L = Vienna, O = SignPath.io, OU = Team FS, CN = SignPath Test Root CA, emailAddress = support@signpath.io
Validity
Not Before: Jul 22 15:20:10 2020 GMT
Not After : Jun 28 15:20:10 2120 GMT
Subject: C = AT, ST = Austria, L = Vienna, O = SignPath.io, OU = Team FS, CN = SignPath Test Root CA, emailAddress = support@signpath.io
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:fb:ca:3a:9a:28:f3:d4:8d:d2:bb:35:43:1c:76:
73:7d:55:3f:a7:df:a7:e2:0f:32:7b:8b:dd:6f:79:
f6:16:8a:40:2d:70:39:57:52:e4:26:0f:a2:d8:03:
77:59:47:7d:1c:bb:99:0c:94:41:37:3f:83:38:c3:
43:c9:bc:07:bd:97:b0:a0:38:bd:87:a5:19:b7:b6:
fc:9d:df:5a:e3:d1:d8:6d:ce:0a:5b:7b:73:bb:22:
00:04:a7:dc:61:72:e9:99:33:b6:50:2f:0a:4a:5e:
6b:0a:8a:cb:5f:78:55:76:d4:44:d1:29:54:ed:ef:
c9:0a:cd:67:a9:20:ea:c3:a1:3c:62:c2:cc:d7:81:
6f:df:9d:65:cd:03:4b:a8:50:da:95:6d:cd:6a:10:
47:f6:8e:4d:db:5c:32:bb:75:94:68:58:3a:88:e5:
d1:f5:e2:00:2b:e6:a9:d4:ce:30:9e:12:c3:1c:3e:
01:87:f7:15:f1:38:cd:dc:59:c0:58:2b:6c:f9:23:
6b:c8:b4:1f:44:6b:4f:4a:fb:7e:30:b0:ac:da:88:
9c:83:7a:d1:40:c7:30:b6:da:e9:98:c9:7d:42:26:
53:42:a8:15:6e:7d:b0:90:15:31:48:6b:2d:b6:c4:
38:0c:bb:da:87:5a:ac:00:c0:57:58:0a:03:c2:fc:
b4:f8:59:3b:da:4e:b3:9f:e3:f4:65:14:64:69:f3:
63:6a:2c:79:cc:aa:7e:0d:0f:1a:fa:19:31:bc:b7:
26:20:70:20:dc:a6:b1:ca:3a:69:6c:cf:49:8f:f3:
6d:f9:90:f4:2d:12:3e:13:30:b7:b6:bb:fe:50:dd:
b1:e3:61:75:5e:a0:0b:4d:52:01:5e:97:17:b0:ea:
93:3c:43:25:c8:2b:b4:66:0b:c5:d2:b7:7c:67:ee:
df:28:3e:e2:dc:42:b6:81:dc:bf:05:e0:f1:77:bf:
08:68:95:61:8c:d6:7b:b5:a8:5e:ce:50:3c:b6:df:
22:73:2c:b2:3f:a2:30:64:24:ca:00:91:7d:de:3e:
40:8f:02:06:c8:b5:d2:cd:24:d4:bf:df:c7:6d:99:
a2:fd:43:21:26:0f:c6:1c:31:65:df:9a:a2:09:db:
5f:ed:9c:10:2e:35:2a:65:5c:76:dd:c7:8d:b9:03:
f7:73:1e:36:9d:ef:20:eb:42:75:42:66:f9:71:76:
d4:44:af:f4:5c:22:12:ba:f7:6d:c4:59:47:d4:58:
ec:c5:1c:4d:3f:ea:91:79:2e:17:bb:cf:45:cc:c4:
e6:b3:05:ff:24:83:ca:5a:ea:22:04:01:98:49:66:
16:5b:4d:6d:53:04:35:bb:a5:37:76:4f:30:07:5c:
37:ae:db
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
56:B3:4F:FF:22:A0:11:27:0E:8B:39:C7:84:14:D5:9B:83:9F:34:13
X509v3 Authority Key Identifier:
keyid:56:B3:4F:FF:22:A0:11:27:0E:8B:39:C7:84:14:D5:9B:83:9F:34:13
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:1
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
X509v3 Extended Key Usage: critical
Code Signing
Signature Algorithm: sha256WithRSAEncryption
d2:1e:f9:20:b4:07:91:22:30:a9:f9:78:d7:ec:18:43:f8:f2:
33:e5:00:be:d6:26:b6:95:5a:98:ed:75:e2:ff:75:5f:f7:b7:
c7:95:75:19:72:ee:67:4c:ea:1c:b0:43:a6:60:c6:fc:c4:82:
f9:38:c8:32:ed:c3:7d:0c:9f:92:7f:e6:87:b8:3f:44:f3:c4:
51:57:24:b6:14:dc:24:75:99:2b:f3:f3:cc:d8:07:77:26:25:
d4:7f:36:70:8f:86:97:81:82:4a:4f:89:3d:ba:a7:18:90:c7:
8f:8c:e2:84:37:40:0b:25:50:24:18:11:fd:78:4e:09:0d:0c:
da:f9:b7:3d:e2:74:8a:53:88:83:4e:f2:d8:fb:62:3a:cd:0a:
a3:99:ce:0c:06:92:ae:cb:6a:50:c8:2b:5a:f6:db:12:1a:df:
20:a5:74:69:23:df:2b:12:d8:81:b2:58:c6:b1:b4:20:09:1d:
ad:73:82:6b:38:bd:92:ff:0e:19:07:d7:47:36:ec:3b:cf:63:
3d:4b:fe:ce:1e:a2:a5:1c:03:37:68:64:92:74:73:a2:1f:1d:
7d:cd:2b:43:2e:49:ce:fa:55:d4:71:50:f3:a8:50:e2:6d:9c:
5a:c8:8e:e6:a3:22:45:2d:c2:fd:ff:3c:b4:a2:b1:a6:29:c8:
b7:2d:66:7d:34:81:4d:06:d8:65:60:9c:62:7c:ff:0c:8d:43:
b6:56:43:29:60:3c:f6:98:99:87:e8:94:71:be:f5:e6:fa:7e:
39:c2:80:e4:2b:1c:6a:5a:48:bc:be:4e:35:dc:12:ed:38:73:
78:5a:a2:49:ba:7d:fc:bc:cf:a6:bd:80:f3:9b:10:ae:0b:70:
8f:71:4d:b9:26:83:47:27:60:e9:5e:ea:6b:7a:0a:7e:4e:b7:
f9:50:3a:2c:74:07:c0:51:32:07:59:e1:e6:23:a4:53:64:09:
c9:71:36:2e:8e:dc:c9:a4:9d:b6:69:24:33:fe:ec:57:2c:83:
c8:6d:a7:80:6b:6d:29:57:e4:7d:44:40:a6:6a:7b:20:ea:bd:
cf:7a:fa:42:66:29:5d:30:17:a2:82:8b:7a:20:9e:40:59:8d:
d2:7d:c2:bc:c3:16:22:d9:6e:01:cc:9e:bb:d5:2d:0e:2e:12:
e6:22:d0:0e:c7:51:85:69:1b:5e:60:ca:c4:b1:d6:7c:64:4d:
a9:7a:e6:f0:42:9b:80:2b:34:7e:d4:21:16:cb:d7:92:6c:68:
f7:e7:ee:1e:51:17:5e:0a:c6:4e:f0:01:8d:f2:b5:f2:20:88:
4a:85:4e:53:ca:3b:c1:4c:6c:0d:88:ba:cc:64:05:c2:29:68:
9a:b0:ea:16:29:e9:88:67
Demo.txt
Hello world
Signing certificate
-----BEGIN CERTIFICATE-----
MIIEyTCCArGgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnDELMAkGA1UEBhMCQVQxEDAOBgNVBAgMB0F1c3RyaWExDzANBgNVBAcMBlZpZW5uYTEUMBIGA1UECgwLU2lnblBhdGguaW8xEDAOBgNVBAsMB1RlYW0gRlMxHjAcBgNVBAMMFVNpZ25QYXRoIFRlc3QgUm9vdCBDQTEiMCAGCSqGSIb3DQEJARYTc3VwcG9ydEBzaWducGF0aC5pbzAgFw0yMTExMTgwNzQ0MzRaGA8yMTIxMTAyNTA3NDQzNFowNzE1MDMGA1UEAx4sAFMASQBHAE4ALQA0ADUAOQAxAF8AUgBvAG8AdABDAGEAUwBpAGcAbgBlAGQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDCAer+jTO/dV1ovvMnevxFgSKhkDUKWMusS+U+q3awOKwyqrMiUsoCBd3V1EBv1AIN5NVR9M2RDFWoRWMU2CO3iFdZOPQqid5Xqtl3bDovpL9ulKF5lMmiFjIAY7hKHNg1EQJWE10uqiX7P/VAU9y3kS2QsU4SOKWgDvZWGbroHCtZDE8KMxLk2ob67g/f1ebSPWmPpzMIJun49kejx4rgHdSoNrC50d2ROfdNMTNuzKgkIam0tQlbUDUMYgP5MLs3I9h5+S8KfqGqxeiHiQyYs8mz912PLVx4dQjATWHhBOktedj+B+023E1osc+reiOtUpkpq80XhQosomS0PEftAgMBAAGjeDB2MB0GA1UdDgQWBBRpp7n5LsVi3rIiUgANgRUEG9opJzAfBgNVHSMEGDAWgBRWs0//IqARJw6LOceEFNWbg580EzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAgEAFBbFPfj2F/MRZemtHw+gNROOtkIjvlx+vjxJcrKQL2w674JVqycCV5aw67U5CGDflFstjH9cm0Gx5XvLEzLg3aHvDf2TD9D/5lUMBIiTwLWWJmmUWw4wDW0ypdmZkw3C+ri3LHj6LSRMNUDZzdc5b44HxHWDGIkx6zPXNWe+k4u8ps5a9scUK3h+7iKFhlDsRY5EBlM0mmeXBoflAYb20nY1I5OOxOBDp+3OGMZxEeFoZccLMlqu+mS54gaetZP47JnMHGKATW3Y/Ou7DU0lhtTbg1p5JsxDuTqVzGDmbZ4bbEuGANoA0udveSU9x6dH8eyzxhaciQrU8mfORnw2FlKS0DrotcKG5ztkyUTnhYQL4sWrk5hp7Sq6fUYjeOqrDjqjG5VKPVvFzw2xVunoFPDav6SczJf/qU7DzDBVeFySdSfm7ZJnVhFlCwkmqS/yIa4M/GT1AYYAzp6uQZC7pK81dOYxvD294/LGFqC/KUgnq9vYtFNg7DEzbijmtnPSPV7URUH/A3Zn1hJTRBLajOKhzA7KS+WqsVUITUup6jfVywo6TxLDR9xaEZqDO68in3mRva/BL7PuEJk/gNWCQc75+CsheeRjc8QnBjJKOrVMPjCM6DCzj7Sb6O7OcoEQNKenWRMWh080mA6DT/OwbZj8+X6aLzKAxbIFBlwL/vY=
-----END CERTIFICATE-----
Test Root CA certificate
-----BEGIN CERTIFICATE-----
MIIGPTCCBCWgAwIBAgIJAONlgML39s7eMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD
VQQGEwJBVDEQMA4GA1UECAwHQXVzdHJpYTEPMA0GA1UEBwwGVmllbm5hMRQwEgYD
VQQKDAtTaWduUGF0aC5pbzEQMA4GA1UECwwHVGVhbSBGUzEeMBwGA1UEAwwVU2ln
blBhdGggVGVzdCBSb290IENBMSIwIAYJKoZIhvcNAQkBFhNzdXBwb3J0QHNpZ25w
YXRoLmlvMCAXDTIwMDcyMjE1MjAxMFoYDzIxMjAwNjI4MTUyMDEwWjCBnDELMAkG
A1UEBhMCQVQxEDAOBgNVBAgMB0F1c3RyaWExDzANBgNVBAcMBlZpZW5uYTEUMBIG
A1UECgwLU2lnblBhdGguaW8xEDAOBgNVBAsMB1RlYW0gRlMxHjAcBgNVBAMMFVNp
Z25QYXRoIFRlc3QgUm9vdCBDQTEiMCAGCSqGSIb3DQEJARYTc3VwcG9ydEBzaWdu
cGF0aC5pbzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAPvKOpoo89SN
0rs1Qxx2c31VP6ffp+IPMnuL3W959haKQC1wOVdS5CYPotgDd1lHfRy7mQyUQTc/
gzjDQ8m8B72XsKA4vYelGbe2/J3fWuPR2G3OClt7c7siAASn3GFy6ZkztlAvCkpe
awqKy194VXbURNEpVO3vyQrNZ6kg6sOhPGLCzNeBb9+dZc0DS6hQ2pVtzWoQR/aO
TdtcMrt1lGhYOojl0fXiACvmqdTOMJ4Swxw+AYf3FfE4zdxZwFgrbPkja8i0H0Rr
T0r7fjCwrNqInIN60UDHMLba6ZjJfUImU0KoFW59sJAVMUhrLbbEOAy72odarADA
V1gKA8L8tPhZO9pOs5/j9GUUZGnzY2osecyqfg0PGvoZMby3JiBwINymsco6aWzP
SY/zbfmQ9C0SPhMwt7a7/lDdseNhdV6gC01SAV6XF7DqkzxDJcgrtGYLxdK3fGfu
3yg+4txCtoHcvwXg8Xe/CGiVYYzWe7WoXs5QPLbfInMssj+iMGQkygCRfd4+QI8C
Bsi10s0k1L/fx22Zov1DISYPxhwxZd+aognbX+2cEC41KmVcdt3HjbkD93MeNp3v
IOtCdUJm+XF21ESv9FwiErr3bcRZR9RY7MUcTT/qkXkuF7vPRczE5rMF/ySDylrq
IgQBmElmFltNbVMENbulN3ZPMAdcN67bAgMBAAGjfjB8MB0GA1UdDgQWBBRWs0//
IqARJw6LOceEFNWbg580EzAfBgNVHSMEGDAWgBRWs0//IqARJw6LOceEFNWbg580
EzASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBxjAWBgNVHSUBAf8E
DDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAgEA0h75ILQHkSIwqfl41+wY
Q/jyM+UAvtYmtpVamO114v91X/e3x5V1GXLuZ0zqHLBDpmDG/MSC+TjIMu3DfQyf
kn/mh7g/RPPEUVckthTcJHWZK/PzzNgHdyYl1H82cI+Gl4GCSk+JPbqnGJDHj4zi
hDdACyVQJBgR/XhOCQ0M2vm3PeJ0ilOIg07y2PtiOs0Ko5nODAaSrstqUMgrWvbb
EhrfIKV0aSPfKxLYgbJYxrG0IAkdrXOCazi9kv8OGQfXRzbsO89jPUv+zh6ipRwD
N2hkknRzoh8dfc0rQy5JzvpV1HFQ86hQ4m2cWsiO5qMiRS3C/f88tKKxpinIty1m
fTSBTQbYZWCcYnz/DI1DtlZDKWA89piZh+iUcb715vp+OcKA5CscalpIvL5ONdwS
7ThzeFqiSbp9/LzPpr2A85sQrgtwj3FNuSaDRydg6V7qa3oKfk63+VA6LHQHwFEy
B1nh5iOkU2QJyXE2Lo7cyaSdtmkkM/7sVyyDyG2ngGttKVfkfURApmp7IOq9z3r6
QmYpXTAXooKLeiCeQFmN0n3CvMMWItluAcyeu9UtDi4S5iLQDsdRhWkbXmDKxLHW
fGRNqXrm8EKbgCs0ftQhFsvXkmxo9+fuHlEXXgrGTvABjfK18iCISoVOU8o7wUxs
DYi6zGQFwilomrDqFinpiGc=
-----END CERTIFICATE-----
I’m trying to set up client certificate authentication using HAProxy.
With OpenSSL, I have created a certificate chain as (CA cert —> Intermediate cert —> Server Cert) and After signing Intermediate with CA key and server cert with Intermediate key, I concat then in a sequence of (server-cert.pem + Intermediate-cert.pem + Root-cert.pem + Server-key.pem)
[root@ip-172-31-0-168 /]# cd /etc/ssl/CertChain
[root@ip-172-31-0-168 CertChain]# ls -la
total 52
drwxr-xr-x 2 root root 265 Jul 15 14:39 .
drwxr-xr-x 7 root root 86 Jul 15 13:29 ..
-rw-r--r-- 1 root root 2114 Jul 15 13:34 ca-cert.pem
-rw-r--r-- 1 root root 17 Jul 15 13:53 ca-cert.srl
-rw-r--r-- 1 root root 3268 Jul 15 13:34 ca-key.pem
-rw-r--r-- 1 root root 9374 Jul 15 14:39 haproxySSLFile.pem
-rw-r--r-- 1 root root 2000 Jul 15 13:53 Intermidate-cert.pem
-rw-r--r-- 1 root root 17 Jul 15 14:01 Intermidate-cert.srl
-rw-r--r-- 1 root root 3272 Jul 15 13:51 Intermidate-key.pem
-rw-r--r-- 1 root root 1781 Jul 15 13:51 Intermidate-req.pem
-rw-r--r-- 1 root root 1988 Jul 15 14:01 server-cert.pem
-rw-r--r-- 1 root root 3272 Jul 15 13:56 server-key.pem
-rw-r--r-- 1 root root 1769 Jul 15 13:56 server-req.pem
The highlighted file is the concatenated version of certificates, the location of the file I have placed within the HAProxy config file.
Once Haproxy is up and running I download CA-Cert.pem file from ssl cert directories and to test ssl encryption I choose postman(Client) where I upload that CA-Cert.pem file.
bind *:80
bind *:443 ssl crt /etc/ssl/CertChain/haproxySSLFile.pem
redirect scheme https if !{ ssl_fc }
mode http
default_backend apps
After Running this through postman(Client), I’m getting ( SSL Error: Unsupported certificate purpose)
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
Above is the list of certificate purposes, that is already defined. I’m not able to figure out what should be the specific purposes I need to specify as my goal is to encrypt/decrypt the incoming traffic through SSL for Haproxy.
Postman(Client) Error Summary
I’ve spent many hours attempting to figure out what the issue is, but I’m no closer.
So I would greatly appreciate any help!
I have installed a windows 2008 R2 server with OpenVPN with a configuration here attached, and with a mobile client it’s connecting to the server.
When I try to connect a InHand 3G router, I have a TLS error like this post as you can see in the log file attached.
https://forums.openvpn.net/viewtopic.php?t=18550
Tue Jan 29 14:00:43 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Tue Jan 29 14:00:43 2019 Windows version 6.1 (Windows 7) 64bit
Tue Jan 29 14:00:43 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Tue Jan 29 14:00:43 2019 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25343
Tue Jan 29 14:00:43 2019 Need hold release from management interface, waiting…
Tue Jan 29 14:00:44 2019 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25343
Tue Jan 29 14:00:44 2019 MANAGEMENT: CMD ‘state on’
Tue Jan 29 14:00:44 2019 MANAGEMENT: CMD ‘log all on’
Tue Jan 29 14:00:44 2019 MANAGEMENT: CMD ‘echo all on’
Tue Jan 29 14:00:44 2019 MANAGEMENT: CMD ‘bytecount 5’
Tue Jan 29 14:00:44 2019 MANAGEMENT: CMD ‘hold off’
Tue Jan 29 14:00:44 2019 MANAGEMENT: CMD ‘hold release’
Tue Jan 29 14:00:44 2019 Diffie-Hellman initialized with 2048 bit key
Tue Jan 29 14:00:44 2019 Outgoing Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Tue Jan 29 14:00:44 2019 Incoming Control Channel Authentication: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Tue Jan 29 14:00:44 2019 interactive service msg_channel=0
Tue Jan 29 14:00:44 2019 ROUTE_GATEWAY 10.10.10.1/255.255.255.0 I=11 HWADDR=00:50:56:87:6b:0d
Tue Jan 29 14:00:44 2019 open_tun
Tue Jan 29 14:00:44 2019 TAP-WIN32 device [Connessione alla rete locale (LAN) 2] opened: \.Global{515D7AF9-2A09-48D4-BC61-1553AB97135A}.tap
Tue Jan 29 14:00:44 2019 TAP-Windows Driver Version 9.21
Tue Jan 29 14:00:44 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.8.0.1/255.255.255.252 on interface {515D7AF9-2A09-48D4-BC61-1553AB97135A} [DHCP-serv: 10.8.0.2, lease-time: 31536000]
Tue Jan 29 14:00:44 2019 Sleeping for 10 seconds…
Tue Jan 29 14:00:54 2019 Successful ARP Flush on interface [13] {515D7AF9-2A09-48D4-BC61-1553AB97135A}
Tue Jan 29 14:00:54 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Tue Jan 29 14:00:54 2019 MANAGEMENT: >STATE:1548766854,ASSIGN_IP,,10.8.0.1,,,,
Tue Jan 29 14:00:54 2019 MANAGEMENT: >STATE:1548766854,ADD_ROUTES,,,,,,
Tue Jan 29 14:00:54 2019 C:Windowssystem32route.exe ADD 10.8.0.0 MASK 255.255.255.0 10.8.0.2
Tue Jan 29 14:00:54 2019 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Tue Jan 29 14:00:54 2019 Route addition via IPAPI succeeded [adaptive]
Tue Jan 29 14:00:54 2019 Socket Buffers: R=[8192->8192] S=[8192->8192]
Tue Jan 29 14:00:54 2019 Listening for incoming TCP connection on [AF_INET][undef]:443
Tue Jan 29 14:00:54 2019 TCPv4_SERVER link local (bound): [AF_INET][undef]:443
Tue Jan 29 14:00:54 2019 TCPv4_SERVER link remote: [AF_UNSPEC]
Tue Jan 29 14:00:54 2019 MULTI: multi_init called, r=256 v=256
Tue Jan 29 14:00:54 2019 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Tue Jan 29 14:00:54 2019 MULTI: TCP INIT maxclients=60 maxevents=64
Tue Jan 29 14:00:54 2019 Initialization Sequence Completed
Tue Jan 29 14:00:54 2019 MANAGEMENT: >STATE:1548766854,CONNECTED,SUCCESS,10.8.0.1,,,,
Tue Jan 29 14:00:57 2019 TCP connection established with [AF_INET]x.y.w.z:12482
Tue Jan 29 14:00:58 2019 x.y.w.z:12482 TLS: Initial packet from [AF_INET]x.y.w.z:12482, sid=dd09e913 aae7af21
Tue Jan 29 14:01:02 2019 x.y.w.z:12482 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=IT, ST=GE, L=Genova, O=XXX, OU=changeme, CN=server, name=server, emailAddress=xxx@xxx.com
Tue Jan 29 14:01:02 2019 x.y.w.z:12482 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Tue Jan 29 14:01:02 2019 x.y.w.z:12482 TLS_ERROR: BIO read tls_read_plaintext error
Tue Jan 29 14:01:02 2019 x.y.w.z:12482 TLS Error: TLS object -> incoming plaintext read error
Tue Jan 29 14:01:02 2019 x.y.w.z:12482 TLS Error: TLS handshake failed
Tue Jan 29 14:01:02 2019 x.y.w.z:12482 Fatal TLS error (check_tls_errors_co), restarting
Tue Jan 29 14:01:02 2019 x.y.w.z:12482 SIGUSR1[soft,tls-error] received, client-instance restarting
The server configuration file is :
port 443
proto tcp4
dev tun
ca «C:\Program Files\OpenVPN\config\ca.crt»
cert «C:\Program Files\OpenVPN\config\server.crt»
key «C:\Program Files\OpenVPN\config\server.key»
dh «C:\Program Files\OpenVPN\config\dh2048.pem»
server 10.8.0.0 255.255.255.0
push «route 10.8.0.1 255.255.255.255»
push «route 10.8.0.0 255.255.255.0»
push «dhcp-option DNS 8.8.8.8»
client-to-client
duplicate-cn
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
persist-key
persist-tun
status openvpn-status.log
verb 3
With the following client configuration is working
client
dev tun
proto tcp4
remote <my.public.ip> 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
key-direction 1
verb 3
<tls-auth>
#
# 2048 bit OpenVPN static key
#
——BEGIN OpenVPN Static key V1——
…
——END OpenVPN Static key V1——
</tls-auth>
<ca>
——BEGIN CERTIFICATE——
…
——END CERTIFICATE——
</ca>
<cert>
——BEGIN CERTIFICATE——
…
——END CERTIFICATE——
</cert>
<key>
——BEGIN PRIVATE KEY——
…
——END PRIVATE KEY——
</key>
I tryed to generate a new client key with no success.
Thanks
StewBla
Im getting this error unsupported certificate purpose no matter what i do.
If i create a Server Certificate for a user i see this error on the server side (/var/log/openvpn.log). If i create a User Certificate for the same user i get this error on the Client side. Both OpenVPN configs are made with the build-in wizard which apply the firewall rules.
I have another pFSense (2.3.3-RELEASE) appliance which works perfectly with OpenVPN and was easy to setup.
I reinstalled this pFSense and compared the OpenVPN setup with the other pFSense server, but still this error comes up.
pFSense version: 2.4.3-RELEASE-p1
OpenVPN version: 2.4.4
Client Certificate config;
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote 149.210.XXX.XXX 4494 udp
verify-x509-name «rbs_cert_client» name
auth-user-pass
pkcs12 rbsfw01-UDP4-4494.p12
tls-auth rbsfw01-UDP4-4494-tls.key 1
Client log;
Thu Jun 14 08:58:27 2018 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=NL, ST=Noord-Holland, L=Haarlem, O=RBS, emailAddress=info@test.nl, CN=rbs_cert_client, OU=ICT
Thu Jun 14 08:58:27 2018 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Thu Jun 14 08:58:27 2018 TLS_ERROR: BIO read tls_read_plaintext error
Thu Jun 14 08:58:27 2018 TLS Error: TLS object -> incoming plaintext read error
Thu Jun 14 08:58:27 2018 TLS Error: TLS handshake failed
Server Certificate config;
dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote 149.210.XXX.XXX 5594 udp
verify-x509-name «rbs_cert_server» name
auth-user-pass
pkcs12 rbsfw01-UDP4-5594.p12
tls-auth rbsfw01-UDP4-5594-tls.key 1
remote-cert-tls server
/var/log/openvpn.log
Jun 13 21:34:39 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=NL, ST=Noord-Holland, L=Haarlem, O=RBS, emailAddress=info@test.nl, CN=CERT, subjectAltName=
Jun 13 21:34:39 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Jun 13 21:34:39 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS_ERROR: BIO read tls_read_plaintext error
Jun 13 21:34:39 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS Error: TLS object -> incoming plaintext read error
Jun 13 21:34:39 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS Error: TLS handshake failed
Jun 13 21:36:14 rbsfw01 openvpn[15613]: 5.132.XXX.XXX34986 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=NL, ST=Noord-Holland, L=Haarlem, O=RBS, emailAddress=info@test.nl, CN=RBS CERT, subjectAltName=
Jun 13 21:36:14 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Jun 13 21:36:14 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS_ERROR: BIO read tls_read_plaintext error
Jun 13 21:36:14 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS Error: TLS object -> incoming plaintext read error
Jun 13 21:36:14 rbsfw01 openvpn[15613]: 5.132.XXX.XXX:34986 TLS Error: TLS handshake failed
Jun 13 21:36:44 rbsfw01 openvpn[43354]: 5.132.XXX.XXX:34986 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jun 13 21:36:44 rbsfw01 openvpn[43354]: 5.132.XXX.XXX:34986 TLS Error: TLS handshake failed
Any help is appreciated.