Openssl error c5065064 microsoft cryptoapi certfindcertificateinstore - Исправление ошибок и поиск оптимальных решений проблем

I have an OpenVPN server, from which I have issued certificates (.crt/.key) for use on several remote clients. I am getting the following error in the connection’s log file:

OpenSSL: error:C5065064:microsoft cryptoapi:CertFindCertificateInStore:Cannot find the certificate and private key for decryption.
Cannot load certificate «THUMB: <thumbprint> from Microsoft Certificate Store»
Exiting due to fatal error

Here is the relevent portion of my config file:

Server Config

ca «C:\Program Files\OpenVPNconfig<name>.ca.crt»
cryptoapicert «THUMB: <thumbprint>»

Here are the steps I have taken:

Imported the .crt file into the Local Computer cert store (Personal)

Started OpenVPNService as the Local System account

Verified that I manually typed (and typed correctly) the thumbprint, instead of copy/paste from the MMC

Changed property from «THUMB…» to «SUBJ:<country> <state> <location> <ou> <cn> <email>» (the OU has a space which I did not enclose in quotes). There will be only one OpenVPN cert per device so maybe I should use «SUBJ:<email>»?

When I change the config file to the following, the connection is successful:

Server Config

ca «C:\Program Files\OpenVPNconfig<name>.ca.crt»
cert «C:\Program Files\OpenVPNconfig<name>.crt»
key «C:\Program Files\OpenVPNconfig<name>.key»

I had originally imported just the .crt file (no private key) into the cert store, but the object could not be found per the log file), so I copied the public and private keys into a .pem file and imported that into the cert store.

Not sure where to go from here. Thoughts? Thanks.

UPDATE: I figured out that if I use openssl.exe, that I can create a .pfx file. Then I used the «start <certname>.pfx» command to start the GUI import to the cert store. After selecting the Local Machine store (and Personal), I restarted the service and got connected. Yay.

So to automate this config, I deleted the imported cert and ran the command:

Code: Select all

Import-PfxCertificate -Password $password -CertStoreLocation Cert:LocalMachineMy -FilePath <path to .pfx>

The import worked and I could see the cert in the MMC, but now OpenVPN will not connect. Thoughts?

Источник

Содержание

OpenVPN Support Forum
Cannot load certificate THUMB from Microsoft Certificate Store
Cannot load certificate THUMB from Microsoft Certificate Store
Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store
Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store
Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store
Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store
OpenVPN Support Forum
Cryptoapi error C5065064
Cryptoapi error C5065064
OpenVPN Support Forum
OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.
OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.
Re: OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.
Re: OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.
OpenVPN Support Forum
SIGTERM[soft,init_instance] received, process exiting
SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting
Re: SIGTERM[soft,init_instance] received, process exiting

OpenVPN Support Forum

Community Support Forum

Cannot load certificate THUMB from Microsoft Certificate Store

Post by tripline » Fri Dec 29, 2017 4:51 pm

I could use some assistance. I am setting up a Synology NAS as the VPN server.
I stored the cert with the thumbprint under Computer Account > Personal > Certifactes
I am following the user pwatk directions for the setup https://forum.synology.com/enu/viewtopic.php?t=100066

The server log says
Fri Dec 29 10:40:45 2017 Warning: cryptapicert used, setting maximum TLS version to 1.1.
Fri Dec 29 10:40:45 2017 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Fri Dec 29 10:40:45 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Dec 29 10:40:45 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Fri Dec 29 10:40:50 2017 OpenSSL: error:C5065064:microsoft cryptoapi:CertFindCertificateInStore:Cannot find object or property.
Fri Dec 29 10:40:50 2017 Cannot load certificate «THUMB:‎MY THUMB PRINT» from Microsoft Certificate Store
Fri Dec 29 10:40:50 2017 Exiting due to fatal error

client
dev tun
proto udp
remote $MyPublicIP 1194
resolv-retry infinite
nobind
persist-key
persist-tun

#ns-cert-type is DEPRECATED
#ns-cert-type server
remote-cert-tls server

cipher AES-128-CBC
auth SHA256
auth-user-pass
key-direction 1

cryptoapicert «THUMB:‎MY THUMB»

——BEGIN CERTIFICATE——
$LONG CERT
——END CERTIFICATE——

#
# 2048 bit OpenVPN static key
#
——BEGIN OpenVPN Static key V1——
$LONG KEY
——END OpenVPN Static key V1——

Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store

Post by TinCanTech » Fri Dec 29, 2017 5:10 pm

Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store

Post by tripline » Fri Dec 29, 2017 6:58 pm

Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store

Post by jasong » Thu Jan 04, 2018 4:24 pm

I’ve had this problem when trying to copy thumbprint information to configure SSL on SQL clusters. It turns out that if you use the mmc snapin to obtain the thumbprint it inserts a hidden character.

Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store

Post by TinCanTech » Thu Jan 04, 2018 4:57 pm

@jasong .. Good find !

And just because I don’t like Microsoft here it is in full:

Microsoft wrote: Certificate thumbprint displayed in MMC certificate snap-in has extra invisible unicode character

If you try and copy and paste thumbprint from this snap-in, an extra (invisible) unicode character is being copied also. This can lead to problems that are non-obvious. For example, copy and paste thumbprint into notepad. It appears that thumbprint is copied correctly, but if you try to save document, it reports that the document contains unicode characters.

If you try to copy paste this thumbprint into an application that asks for a certificate thumbprint, this can lead to errors where the invisible unicode character is unknowingly included. For example, there is a scenario in virtual machine manager that asks for a certificate thumbprint. Copy/pasting from this snap-in will lead to a non-obvious failure due to included unicode character.

One of the applications affected with this case is SQL Server when the certificate is needed for SSL Encrytopn of SSL connections. If simply copying the thumbpint from the certificate GUI and pasting it in with the invisible character, SQL Server fails to start.

This is caused by an issue in Richedit control which is used for the Certificate UI.

The following workarounds can be used:

1. Instead of using certificates snap-in and certificate GUI, use certutil command line tool:
— «certutil -store -user my» for the user certificates or,
— «certutil -store my» for the machine certificates.

The thumbprint can be located in the line that starts with «Cert Hash(sha1)»

Cert Hash(sha1): e8 12 4b 42 c4 04 fd ca 8c ec 21 f1 91 76 5c b7 c3 ad 1d 55

2. When using certificates snap-in and certificate GUI, do NOT copy «extra space» that appears before the certificate thumbpint from the Richedit control.

Источник

OpenVPN Support Forum

Community Support Forum

Cryptoapi error C5065064

Post by wetlingsyn » Thu Apr 26, 2018 9:33 pm

Here is the relevent portion of my config file:

Here are the steps I have taken:

Imported the .crt file into the Local Computer cert store (Personal)

Started OpenVPNService as the Local System account

Verified that I manually typed (and typed correctly) the thumbprint, instead of copy/paste from the MMC

Changed property from «THUMB. » to «SUBJ: » (the OU has a space which I did not enclose in quotes). There will be only one OpenVPN cert per device so maybe I should use «SUBJ: «?

When I change the config file to the following, the connection is successful:

Not sure where to go from here. Thoughts? Thanks.

UPDATE: I figured out that if I use openssl.exe, that I can create a .pfx file. Then I used the «start .pfx» command to start the GUI import to the cert store. After selecting the Local Machine store (and Personal), I restarted the service and got connected. Yay.

So to automate this config, I deleted the imported cert and ran the command:

Источник

OpenVPN Support Forum

Community Support Forum

OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.

Post by andres.moya » Tue Mar 02, 2021 9:40 pm

I am trying to fix my TPM setup that stopped working recently. It was due update of either pfSense (and underlying openssl) or my windows 10.

I followed few manuals 2 years ago how to set up. No, certs didn’t expire. And it was working till last weekend.

I ve tried to recreate TPM Virtual card, regerated certs. Same result.

Will appreciate if anyone can give a hint what direction to start.

Re: OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.

Post by TinCanTech » Tue Mar 02, 2021 10:35 pm

It is possible that the requested feature is something that your card does support but is being called incorrectly.
It is also possible that your card is too old to support the requested feature .. check Windows 10 support for your card.

Update Windows and OpenVPN and any drivers required for your smart card.

Hope and pray .. recite what-ever incantation works for you ..

Re: OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.

Post by becm » Wed Mar 10, 2021 11:31 pm

Very much sounds like Issue 1296.
This would indeed imply the hardware or driver is too old to support PSS padding (which is used according to logs here).

As mentioned in the above ticket there is currently no option inhibit PSS padding with TLS 1.2 and OpenSSL 1.1.1.

You could try to (temporarily) enforce TLS 1.1 to verify this is indeed the (only) issue.
Only long term solution (also in wake of TLS 1.3) will be to use more up to date hardware (unless a driver update is sufficient/available).

Источник

OpenVPN Support Forum

Community Support Forum

SIGTERM[soft,init_instance] received, process exiting

Post by janhoedt » Thu Dec 01, 2011 4:36 pm

I have worked with openvpn before and it always worked fine! Now I’m at a new location and proxy seems to be the issue.
I found this thread: http://forums.openvpn.net/topic7945-15.html and replaced the http://www.morzello.com/repository/netw . ntlmv2.zip openvpn.exe in my portable app (was 1.6.6).

However: still the same issue.
Note: I can’t install the openvpn so I need the portable version.

Please advise how to proceed troubleshooting.

Thu Dec 01 17:27:34 2011 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on May 13 2011
Thu Dec 01 17:27:45 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Dec 01 17:27:45 2011 NOTE: the current —script-security setting may allow this configuration to call user-defined scripts
Thu Dec 01 17:27:46 2011 LZO compression initialized
Thu Dec 01 17:27:46 2011 Attempting to establish TCP connection with 10.x.x.x:80
Thu Dec 01 17:27:46 2011 TCP connection established with 10.x.x.x:80
Thu Dec 01 17:27:46 2011 SIGTERM[soft,init_instance] received, process exiting

=> 10.x.x.x is the proxy, it even doesn’t go to the point of contacting my openvpn-server .

Re: SIGTERM[soft,init_instance] received, process exiting

Post by maikcat » Fri Dec 02, 2011 9:06 am

can you post your client config?

Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

«objects in mirror are losing»

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janhoedt » Fri Dec 02, 2011 9:06 am

I guess I need a certificate to connect to Internet. A different certificate then the one I use to connect to my OpenVPN-server.

I see a certificate is installed on my local machine, how can I use it within OpenVPN?

Note: 10.x.x.x = proxy, it’s certainly proxy-issue but don’t know how to troubleshoot.

Fri Dec 02 09:29:56 2011 Attempting to establish TCP connection with 10.x.x.x:80
Fri Dec 02 09:29:56 2011 TCP connection established with 10.x.x.x:80
Fri Dec 02 09:29:58 2011 TCPv4_CLIENT link local: [undef]
Fri Dec 02 09:29:58 2011 TCPv4_CLIENT link remote: 10.x.x.x:80
Fri Dec 02 09:30:58 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Dec 02 09:30:58 2011 TLS Error: TLS handshake failed
Fri Dec 02 09:30:58 2011 Fatal TLS error (check_tls_errors_co), restarting
Fri Dec 02 09:30:58 2011 SIGUSR1[soft,tls-error] received, process restarting

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janjust » Fri Dec 02, 2011 9:13 am

added and post the client connection log.

If the client receives SIGTERM , as in your original posting, then there’s something *seriously* wrong: the openvpn process was sent a TERMINATE signal (which the proxy will not dp)

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janhoedt » Fri Dec 02, 2011 9:24 am

Fri Dec 02 09:27:37 2011 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on May 13 2011
Fri Dec 02 09:27:41 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 02 09:27:41 2011 NOTE: the current —script-security setting may allow this configuration to call user-defined scripts
Fri Dec 02 09:27:41 2011 LZO compression initialized
Fri Dec 02 09:27:41 2011 Attempting to establish TCP connection with 10.x.x.x:80
Fri Dec 02 09:27:41 2011 TCP connection established with 10.x.x.x:80
Fri Dec 02 09:27:43 2011 TCPv4_CLIENT link local: [undef]
Fri Dec 02 09:27:43 2011 TCPv4_CLIENT link remote: 10.x.x.x:80
Fri Dec 02 09:28:43 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Dec 02 09:28:43 2011 TLS Error: TLS handshake failed
Fri Dec 02 09:28:43 2011 Fatal TLS error (check_tls_errors_co), restarting
Fri Dec 02 09:28:43 2011 SIGUSR1[soft,tls-error] received, process restarting
Hi,

I’ve been troubleshooting this all day long and tried different things (as replacing the openvpn.exe in my portable version). Note: I really cannot use the installable version since I work on different computers.
I’m pretty sure it’s the certificate to connect to Internet I have to use (TLS negotiation failed).
I’m not sure what I have to use as proxy: «use config-file, use manually . » but I certainly have to define the certificate in the config of my machine (Windows XP, no firewall). I exported it (.cert-file). I also need tcp (since there is a proxy) but what to define in config: http-proxy, auto-proxy .

Config of client:
——————
dev tun
tls-client

remote myopenvpn 443

# If redirect-gateway is enabled, the client will redirect it’s
# default network gateway through the VPN.
# It means the VPN connection will firstly connect to the VPN Server
# and then to the internet.
# (Please refer to the manual of OpenVPN for more information.)

#auto-proxy
#http-proxy 10.x.x.x 80

Fri Dec 02 09:28:48 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 02 09:28:48 2011 NOTE: the current —script-security setting may allow this configuration to call user-defined scripts
Fri Dec 02 09:28:48 2011 LZO compression initialized
Fri Dec 02 09:28:48 2011 Attempting to establish TCP connection with 10.x.x.x:80
Fri Dec 02 09:28:48 2011 TCP connection established with 10.x.x.x:80
Fri Dec 02 09:28:51 2011 TCPv4_CLIENT link local: [undef]
Fri Dec 02 09:28:51 2011 TCPv4_CLIENT link remote: 10.x.x.x:80
Fri Dec 02 09:29:51 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Dec 02 09:29:51 2011 TLS Error: TLS handshake failed
Fri Dec 02 09:29:51 2011 Fatal TLS error (check_tls_errors_co), restarting
Fri Dec 02 09:29:51 2011 SIGUSR1[soft,tls-error] received, process restarting
Fri Dec 02 09:29:56 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 02 09:29:56 2011 NOTE: the current —script-security setting may allow this configuration to call user-defined scripts
Fri Dec 02 09:29:56 2011 LZO compression initialized
Fri Dec 02 09:29:56 2011 Attempting to establish TCP connection with 10.x.x.x:80
Fri Dec 02 09:29:56 2011 TCP connection established with 10.x.x.x:80
Fri Dec 02 09:29:58 2011 TCPv4_CLIENT link local: [undef]
Fri Dec 02 09:29:58 2011 TCPv4_CLIENT link remote: 10.x.x.x:80
Fri Dec 02 09:30:58 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Dec 02 09:30:58 2011 TLS Error: TLS handshake failed
Fri Dec 02 09:30:58 2011 Fatal TLS error (check_tls_errors_co), restarting
Fri Dec 02 09:30:58 2011 SIGUSR1[soft,tls-error] received, process restarting
Fri Dec 02 09:31:03 2011 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 02 09:31:03 2011 NOTE: the current —script-security setting may allow this configuration to call user-defined scripts
Fri Dec 02 09:31:03 2011 LZO compression initialized
Fri Dec 02 09:31:03 2011 Attempting to establish TCP connection with 10.x.x.x:80
Fri Dec 02 09:31:03 2011 TCP connection established with 10.x.x.x:80
Fri Dec 02 09:31:05 2011 TCPv4_CLIENT link local: [undef]
Fri Dec 02 09:31:05 2011 TCPv4_CLIENT link remote: 10.x.x.x:80
Fri Dec 02 09:31:08 2011 SIGTERM[hard,] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janhoedt » Fri Dec 02, 2011 9:28 am

Ok, verb 7 now (note: my openvpn listens at 443, 8080 and 80 for troubleshooting issues).
Locally (on a pc which is in the LAN of openvpn-server) I can connect to all those ports on local ip of openvpn as well as external one (so config is ok).

Fri Dec 02 10:25:02 2011 us=546000 Current Parameter Settings:
Fri Dec 02 10:25:02 2011 us=546000 config = ‘openvpn.ovpn’
Fri Dec 02 10:25:02 2011 us=546000 mode = 0
Fri Dec 02 10:25:02 2011 us=546000 show_ciphers = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 show_digests = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 show_engines = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 genkey = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 key_pass_file = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=546000 show_tls_ciphers = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 Connection profiles [default]:
Fri Dec 02 10:25:02 2011 us=546000 proto = udp
Fri Dec 02 10:25:02 2011 us=546000 local = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=546000 local_port = 1194
Fri Dec 02 10:25:02 2011 us=546000 remote = ‘myopenvpn’
Fri Dec 02 10:25:02 2011 us=546000 remote_port = 443
Fri Dec 02 10:25:02 2011 us=546000 remote_float = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 bind_defined = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 bind_local = ENABLED
Fri Dec 02 10:25:02 2011 us=546000 connect_retry_seconds = 5
Fri Dec 02 10:25:02 2011 us=546000 connect_timeout = 10
Fri Dec 02 10:25:02 2011 us=546000 connect_retry_max = 0
Fri Dec 02 10:25:02 2011 us=546000 socks_proxy_server = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=546000 socks_proxy_port = 0
Fri Dec 02 10:25:02 2011 us=546000 socks_proxy_retry = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 Connection profiles END
Fri Dec 02 10:25:02 2011 us=546000 remote_random = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 ipchange = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=546000 dev = ‘tun’
Fri Dec 02 10:25:02 2011 us=546000 dev_type = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=546000 dev_node = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=546000 lladdr = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=546000 topology = 1
Fri Dec 02 10:25:02 2011 us=546000 tun_ipv6 = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 ifconfig_local = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=546000 ifconfig_remote_netmask = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=546000 ifconfig_noexec = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 ifconfig_nowarn = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 shaper = 0
Fri Dec 02 10:25:02 2011 us=546000 tun_mtu = 1500
Fri Dec 02 10:25:02 2011 us=546000 tun_mtu_defined = ENABLED
Fri Dec 02 10:25:02 2011 us=546000 link_mtu = 1500
Fri Dec 02 10:25:02 2011 us=546000 link_mtu_defined = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 tun_mtu_extra = 0
Fri Dec 02 10:25:02 2011 us=546000 tun_mtu_extra_defined = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 fragment = 0
Fri Dec 02 10:25:02 2011 us=546000 mtu_discover_type = -1
Fri Dec 02 10:25:02 2011 us=546000 mtu_test = 0
Fri Dec 02 10:25:02 2011 us=546000 mlock = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 keepalive_ping = 0
Fri Dec 02 10:25:02 2011 us=546000 keepalive_timeout = 0
Fri Dec 02 10:25:02 2011 us=546000 inactivity_timeout = 0
Fri Dec 02 10:25:02 2011 us=546000 ping_send_timeout = 0
Fri Dec 02 10:25:02 2011 us=546000 ping_rec_timeout = 0
Fri Dec 02 10:25:02 2011 us=546000 ping_rec_timeout_action = 0
Fri Dec 02 10:25:02 2011 us=546000 ping_timer_remote = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 remap_sigusr1 = 0
Fri Dec 02 10:25:02 2011 us=546000 explicit_exit_notification = 0
Fri Dec 02 10:25:02 2011 us=546000 persist_tun = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 persist_local_ip = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 persist_remote_ip = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 persist_key = DISABLED
Fri Dec 02 10:25:02 2011 us=546000 mssfix = 1450
Fri Dec 02 10:25:02 2011 us=546000 resolve_retry_seconds = 1000000000
Fri Dec 02 10:25:02 2011 us=546000 username = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=546000 groupname = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=546000 chroot_dir = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=546000 cd_dir = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=546000 writepid = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=593000 up_script = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=593000 down_script = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=593000 down_pre = DISABLED
Fri Dec 02 10:25:02 2011 us=593000 up_restart = DISABLED
Fri Dec 02 10:25:02 2011 us=593000 up_delay = DISABLED
Fri Dec 02 10:25:02 2011 us=593000 daemon = DISABLED
Fri Dec 02 10:25:02 2011 us=593000 inetd = 0
Fri Dec 02 10:25:02 2011 us=593000 log = DISABLED
Fri Dec 02 10:25:02 2011 us=593000 suppress_timestamps = DISABLED
Fri Dec 02 10:25:02 2011 us=593000 nice = 0
Fri Dec 02 10:25:02 2011 us=593000 verbosity = 7
Fri Dec 02 10:25:02 2011 us=593000 mute = 0
Fri Dec 02 10:25:02 2011 us=593000 gremlin = 0
Fri Dec 02 10:25:02 2011 us=593000 status_file = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=593000 status_file_version = 1
Fri Dec 02 10:25:02 2011 us=593000 status_file_update_freq = 60
Fri Dec 02 10:25:02 2011 us=593000 occ = ENABLED
Fri Dec 02 10:25:02 2011 us=593000 rcvbuf = 0
Fri Dec 02 10:25:02 2011 us=593000 sndbuf = 0
Fri Dec 02 10:25:02 2011 us=609000 sockflags = 0
Fri Dec 02 10:25:02 2011 us=609000 fast_io = DISABLED
Fri Dec 02 10:25:02 2011 us=609000 lzo = 7
Fri Dec 02 10:25:02 2011 us=609000 route_script = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=609000 route_default_gateway = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=609000 route_default_metric = 0
Fri Dec 02 10:25:02 2011 us=609000 route_noexec = DISABLED
Fri Dec 02 10:25:02 2011 us=609000 route_delay = 5
Fri Dec 02 10:25:02 2011 us=609000 route_delay_window = 30
Fri Dec 02 10:25:02 2011 us=609000 route_delay_defined = ENABLED
Fri Dec 02 10:25:02 2011 us=609000 route_nopull = DISABLED
Fri Dec 02 10:25:02 2011 us=609000 route_gateway_via_dhcp = DISABLED
Fri Dec 02 10:25:02 2011 us=609000 max_routes = 100
Fri Dec 02 10:25:02 2011 us=609000 allow_pull_fqdn = DISABLED
Fri Dec 02 10:25:02 2011 us=609000 management_addr = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=609000 management_port = 0
Fri Dec 02 10:25:02 2011 us=625000 management_user_pass = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=625000 management_log_history_cache = 250
Fri Dec 02 10:25:02 2011 us=625000 management_echo_buffer_size = 100
Fri Dec 02 10:25:02 2011 us=625000 management_write_peer_info_file = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=625000 management_client_user = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=625000 management_client_group = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=625000 management_flags = 0
Fri Dec 02 10:25:02 2011 us=625000 shared_secret_file = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=625000 key_direction = 0
Fri Dec 02 10:25:02 2011 us=625000 ciphername_defined = ENABLED
Fri Dec 02 10:25:02 2011 us=625000 ciphername = ‘BF-CBC’
Fri Dec 02 10:25:02 2011 us=625000 authname_defined = ENABLED
Fri Dec 02 10:25:02 2011 us=625000 authname = ‘SHA1’
Fri Dec 02 10:25:02 2011 us=625000 prng_hash = ‘SHA1’
Fri Dec 02 10:25:02 2011 us=625000 prng_nonce_secret_len = 16
Fri Dec 02 10:25:02 2011 us=625000 keysize = 0
Fri Dec 02 10:25:02 2011 us=656000 engine = DISABLED
Fri Dec 02 10:25:02 2011 us=656000 replay = ENABLED
Fri Dec 02 10:25:02 2011 us=656000 mute_replay_warnings = DISABLED
Fri Dec 02 10:25:02 2011 us=656000 replay_window = 64
Fri Dec 02 10:25:02 2011 us=656000 replay_time = 15
Fri Dec 02 10:25:02 2011 us=656000 packet_id_file = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=656000 use_iv = ENABLED
Fri Dec 02 10:25:02 2011 us=656000 test_crypto = DISABLED
Fri Dec 02 10:25:02 2011 us=656000 tls_server = DISABLED
Fri Dec 02 10:25:02 2011 us=656000 tls_client = ENABLED
Fri Dec 02 10:25:02 2011 us=656000 key_method = 2
Fri Dec 02 10:25:02 2011 us=656000 ca_file = ‘ca.crt’
Fri Dec 02 10:25:02 2011 us=656000 ca_path = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=656000 dh_file = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=656000 cert_file = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=656000 priv_key_file = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=656000 pkcs12_file = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=671000 cryptoapi_cert = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=671000 cipher_list = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=671000 tls_verify = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=671000 tls_remote = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=671000 crl_file = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=671000 ns_cert_type = 0
Fri Dec 02 10:25:02 2011 us=671000 remote_cert_ku = 0
Fri Dec 02 10:25:02 2011 us=671000 remote_cert_ku = 0
Fri Dec 02 10:25:02 2011 us=671000 remote_cert_ku = 0
Fri Dec 02 10:25:02 2011 us=671000 remote_cert_ku = 0
Fri Dec 02 10:25:02 2011 us=671000 remote_cert_ku = 0
Fri Dec 02 10:25:02 2011 us=671000 remote_cert_ku = 0
Fri Dec 02 10:25:02 2011 us=671000 remote_cert_ku = 0
Fri Dec 02 10:25:02 2011 us=671000 remote_cert_ku = 0
Fri Dec 02 10:25:02 2011 us=671000 remote_cert_ku = 0
Fri Dec 02 10:25:02 2011 us=671000 remote_cert_ku = 0
Fri Dec 02 10:25:02 2011 us=671000 remote_cert_ku[i] = 0
Fri Dec 02 10:25:02 2011 us=687000 remote_cert_ku[i] = 0
Fri Dec 02 10:25:02 2011 us=687000 remote_cert_ku[i] = 0
Fri Dec 02 10:25:02 2011 us=687000 remote_cert_ku[i] = 0
Fri Dec 02 10:25:02 2011 us=687000 remote_cert_ku[i] = 0
Fri Dec 02 10:25:02 2011 us=687000 remote_cert_ku[i] = 0
Fri Dec 02 10:25:02 2011 us=687000 remote_cert_eku = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=687000 tls_timeout = 2
Fri Dec 02 10:25:02 2011 us=687000 renegotiate_bytes = 0
Fri Dec 02 10:25:02 2011 us=687000 renegotiate_packets = 0
Fri Dec 02 10:25:02 2011 us=687000 renegotiate_seconds = 0
Fri Dec 02 10:25:02 2011 us=687000 handshake_window = 60
Fri Dec 02 10:25:02 2011 us=687000 transition_window = 3600
Fri Dec 02 10:25:02 2011 us=687000 single_session = DISABLED
Fri Dec 02 10:25:02 2011 us=687000 push_peer_info = DISABLED
Fri Dec 02 10:25:02 2011 us=687000 tls_exit = DISABLED
Fri Dec 02 10:25:02 2011 us=703000 tls_auth_file = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=718000 pkcs11_protected_authentication = DISABLED
Fri Dec 02 10:25:02 2011 us=718000 pkcs11_protected_authentication = DISABLED
Fri Dec 02 10:25:02 2011 us=718000 pkcs11_protected_authentication = DISABLED
Fri Dec 02 10:25:02 2011 us=718000 pkcs11_protected_authentication = DISABLED
Fri Dec 02 10:25:02 2011 us=718000 pkcs11_protected_authentication = DISABLED
Fri Dec 02 10:25:02 2011 us=718000 pkcs11_protected_authentication = DISABLED
Fri Dec 02 10:25:02 2011 us=718000 pkcs11_protected_authentication = DISABLED
Fri Dec 02 10:25:02 2011 us=718000 pkcs11_protected_authentication = DISABLED
Fri Dec 02 10:25:02 2011 us=718000 pkcs11_protected_authentication = DISABLED
Fri Dec 02 10:25:02 2011 us=718000 pkcs11_protected_authentication = DISABLED
Fri Dec 02 10:25:02 2011 us=718000 pkcs11_protected_authentication = DISABLED
Fri Dec 02 10:25:02 2011 us=718000 pkcs11_protected_authentication = DISABLED
Fri Dec 02 10:25:02 2011 us=718000 pkcs11_protected_authentication = DISABLED
Fri Dec 02 10:25:02 2011 us=734000 pkcs11_protected_authentication = DISABLED
Fri Dec 02 10:25:02 2011 us=734000 pkcs11_protected_authentication = DISABLED
Fri Dec 02 10:25:02 2011 us=734000 pkcs11_protected_authentication = DISABLED
Fri Dec 02 10:25:02 2011 us=734000 pkcs11_private_mode = 00000000
Fri Dec 02 10:25:02 2011 us=734000 pkcs11_private_mode = 00000000
Fri Dec 02 10:25:02 2011 us=734000 pkcs11_private_mode = 00000000
Fri Dec 02 10:25:02 2011 us=734000 pkcs11_private_mode = 00000000
Fri Dec 02 10:25:02 2011 us=734000 pkcs11_private_mode = 00000000
Fri Dec 02 10:25:02 2011 us=734000 pkcs11_private_mode = 00000000
Fri Dec 02 10:25:02 2011 us=734000 pkcs11_private_mode = 00000000
Fri Dec 02 10:25:02 2011 us=734000 pkcs11_private_mode = 00000000
Fri Dec 02 10:25:02 2011 us=734000 pkcs11_private_mode = 00000000
Fri Dec 02 10:25:02 2011 us=734000 pkcs11_private_mode = 00000000
Fri Dec 02 10:25:02 2011 us=734000 pkcs11_private_mode = 00000000
Fri Dec 02 10:25:02 2011 us=750000 pkcs11_private_mode = 00000000
Fri Dec 02 10:25:02 2011 us=750000 pkcs11_private_mode = 00000000
Fri Dec 02 10:25:02 2011 us=750000 pkcs11_private_mode = 00000000
Fri Dec 02 10:25:02 2011 us=750000 pkcs11_private_mode = 00000000
Fri Dec 02 10:25:02 2011 us=750000 pkcs11_private_mode = 00000000
Fri Dec 02 10:25:02 2011 us=750000 pkcs11_cert_private = DISABLED
Fri Dec 02 10:25:02 2011 us=750000 pkcs11_cert_private = DISABLED
Fri Dec 02 10:25:02 2011 us=750000 pkcs11_cert_private = DISABLED
Fri Dec 02 10:25:02 2011 us=750000 pkcs11_cert_private = DISABLED
Fri Dec 02 10:25:02 2011 us=750000 pkcs11_cert_private = DISABLED
Fri Dec 02 10:25:02 2011 us=750000 pkcs11_cert_private = DISABLED
Fri Dec 02 10:25:02 2011 us=750000 pkcs11_cert_private = DISABLED
Fri Dec 02 10:25:02 2011 us=750000 pkcs11_cert_private = DISABLED
Fri Dec 02 10:25:02 2011 us=750000 pkcs11_cert_private = DISABLED
Fri Dec 02 10:25:02 2011 us=781000 pkcs11_cert_private = DISABLED
Fri Dec 02 10:25:02 2011 us=781000 pkcs11_cert_private = DISABLED
Fri Dec 02 10:25:02 2011 us=781000 pkcs11_cert_private = DISABLED
Fri Dec 02 10:25:02 2011 us=781000 pkcs11_cert_private = DISABLED
Fri Dec 02 10:25:02 2011 us=781000 pkcs11_cert_private = DISABLED
Fri Dec 02 10:25:02 2011 us=781000 pkcs11_cert_private = DISABLED
Fri Dec 02 10:25:02 2011 us=781000 pkcs11_cert_private = DISABLED
Fri Dec 02 10:25:02 2011 us=781000 pkcs11_pin_cache_period = -1
Fri Dec 02 10:25:02 2011 us=781000 pkcs11_id = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=781000 pkcs11_id_management = DISABLED
Fri Dec 02 10:25:02 2011 us=781000 server_network = 0.0.0.0
Fri Dec 02 10:25:02 2011 us=781000 server_netmask = 0.0.0.0
Fri Dec 02 10:25:02 2011 us=781000 server_bridge_ip = 0.0.0.0
Fri Dec 02 10:25:02 2011 us=781000 server_bridge_netmask = 0.0.0.0
Fri Dec 02 10:25:02 2011 us=781000 server_bridge_pool_start = 0.0.0.0
Fri Dec 02 10:25:02 2011 us=796000 server_bridge_pool_end = 0.0.0.0
Fri Dec 02 10:25:02 2011 us=796000 ifconfig_pool_defined = DISABLED
Fri Dec 02 10:25:02 2011 us=796000 ifconfig_pool_start = 0.0.0.0
Fri Dec 02 10:25:02 2011 us=796000 ifconfig_pool_end = 0.0.0.0
Fri Dec 02 10:25:02 2011 us=796000 ifconfig_pool_netmask = 0.0.0.0
Fri Dec 02 10:25:02 2011 us=796000 ifconfig_pool_persist_filename = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=796000 ifconfig_pool_persist_refresh_freq = 600
Fri Dec 02 10:25:02 2011 us=796000 n_bcast_buf = 256
Fri Dec 02 10:25:02 2011 us=796000 tcp_queue_limit = 64
Fri Dec 02 10:25:02 2011 us=796000 real_hash_size = 256
Fri Dec 02 10:25:02 2011 us=796000 virtual_hash_size = 256
Fri Dec 02 10:25:02 2011 us=796000 client_connect_script = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=796000 learn_address_script = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=796000 client_disconnect_script = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=812000 client_config_dir = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=812000 ccd_exclusive = DISABLED
Fri Dec 02 10:25:02 2011 us=812000 tmp_dir = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=812000 push_ifconfig_defined = DISABLED
Fri Dec 02 10:25:02 2011 us=812000 push_ifconfig_local = 0.0.0.0
Fri Dec 02 10:25:02 2011 us=812000 push_ifconfig_remote_netmask = 0.0.0.0
Fri Dec 02 10:25:02 2011 us=812000 enable_c2c = DISABLED
Fri Dec 02 10:25:02 2011 us=812000 duplicate_cn = DISABLED
Fri Dec 02 10:25:02 2011 us=812000 cf_max = 0
Fri Dec 02 10:25:02 2011 us=812000 cf_per = 0
Fri Dec 02 10:25:02 2011 us=812000 max_clients = 1024
Fri Dec 02 10:25:02 2011 us=812000 max_routes_per_client = 256
Fri Dec 02 10:25:02 2011 us=812000 auth_user_pass_verify_script = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=812000 auth_user_pass_verify_script_via_file = DISABLED
Fri Dec 02 10:25:02 2011 us=812000 ssl_flags = 0
Fri Dec 02 10:25:02 2011 us=843000 client = DISABLED
Fri Dec 02 10:25:02 2011 us=843000 pull = ENABLED
Fri Dec 02 10:25:02 2011 us=843000 auth_user_pass_file = ‘stdin’
Fri Dec 02 10:25:02 2011 us=843000 show_net_up = DISABLED
Fri Dec 02 10:25:02 2011 us=843000 route_method = 0
Fri Dec 02 10:25:02 2011 us=843000 ip_win32_defined = DISABLED
Fri Dec 02 10:25:02 2011 us=843000 ip_win32_type = 3
Fri Dec 02 10:25:02 2011 us=843000 dhcp_masq_offset = 0
Fri Dec 02 10:25:02 2011 us=843000 dhcp_lease_time = 31536000
Fri Dec 02 10:25:02 2011 us=843000 tap_sleep = 0
Fri Dec 02 10:25:02 2011 us=843000 dhcp_options = DISABLED
Fri Dec 02 10:25:02 2011 us=843000 dhcp_renew = DISABLED
Fri Dec 02 10:25:02 2011 us=843000 dhcp_pre_release = DISABLED
Fri Dec 02 10:25:02 2011 us=843000 dhcp_release = DISABLED
Fri Dec 02 10:25:02 2011 us=843000 domain = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=843000 netbios_scope = ‘[UNDEF]’
Fri Dec 02 10:25:02 2011 us=859000 netbios_node_type = 0
Fri Dec 02 10:25:02 2011 us=859000 disable_nbt = DISABLED
Fri Dec 02 10:25:02 2011 us=859000 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on May 13 2011
Fri Dec 02 10:25:13 2011 us=62000 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 02 10:25:13 2011 us=62000 NOTE: the current —script-security setting may allow this configuration to call user-defined scripts
Fri Dec 02 10:25:13 2011 us=328000 PRNG init md=SHA1 size=36
Fri Dec 02 10:25:13 2011 us=328000 LZO compression initialized
Fri Dec 02 10:25:13 2011 us=328000 MTU DYNAMIC mtu=0, flags=1, 0 -> 138
Fri Dec 02 10:25:13 2011 us=328000 PID packet_id_init seq_backtrack=64 time_backtrack=15
Fri Dec 02 10:25:13 2011 us=328000 PID packet_id_init seq_backtrack=64 time_backtrack=15
Fri Dec 02 10:25:13 2011 us=328000 PID packet_id_init seq_backtrack=64 time_backtrack=15
Fri Dec 02 10:25:13 2011 us=328000 PID packet_id_init seq_backtrack=64 time_backtrack=15
Fri Dec 02 10:25:13 2011 us=328000 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Fri Dec 02 10:25:13 2011 us=328000 MTU DYNAMIC mtu=1450, flags=2, 1542 -> 1450
Fri Dec 02 10:25:13 2011 us=328000 Socket Buffers: R=[8192->8192] S=[64512->64512]
Fri Dec 02 10:25:13 2011 us=328000 RESOLVE_REMOTE flags=0x0101 phase=1 rrs=0 sig=-1 status=1
Fri Dec 02 10:25:13 2011 us=328000 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Fri Dec 02 10:25:13 2011 us=328000 Local Options String: ‘V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client’
Fri Dec 02 10:25:13 2011 us=328000 Expected Remote Options String: ‘V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server’
Fri Dec 02 10:25:13 2011 us=328000 Local Options hash (VER=V4): ‘41690919’
Fri Dec 02 10:25:13 2011 us=328000 Expected Remote Options hash (VER=V4): ‘530fdded’
Fri Dec 02 10:25:13 2011 us=328000 UDPv4 link local (bound): [undef]:1194
Fri Dec 02 10:25:13 2011 us=328000 UDPv4 link remote: myopenvpn:443
Fri Dec 02 10:25:13 2011 us=328000 UDPv4 WRITE [14] to myopenvpn:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Fri Dec 02 10:25:15 2011 us=421000 UDPv4 WRITE [14] to myopenvpn:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Fri Dec 02 10:25:19 2011 us=609000 UDPv4 WRITE [14] to myopenvpn:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Fri Dec 02 10:25:27 2011 us=312000 UDPv4 WRITE [14] to myopenvpn:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Fri Dec 02 10:25:44 2011 us=140000 UDPv4 WRITE [14] to myopenvpn:443: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janjust » Fri Dec 02, 2011 12:47 pm

and it is rejected by the server — check the server logs.

What happens with the TCP port 80 connection ?

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janhoedt » Fri Dec 02, 2011 12:53 pm

That you can see in my previous post: SSL rejected.
That’s why I mention it has to be the certificate.
It’s a reverse proxy I guess.

Fri Dec 02 09:29:56 2011 TCP connection established with 10.x.x.x:80
Fri Dec 02 09:29:58 2011 TCPv4_CLIENT link local: [undef]
Fri Dec 02 09:29:58 2011 TCPv4_CLIENT link remote: 10.x.x.x:80
Fri Dec 02 09:30:58 2011 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Fri Dec 02 09:30:58 2011 TLS Error: TLS handshake failed

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janjust » Fri Dec 02, 2011 1:01 pm

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janhoedt » Fri Dec 02, 2011 1:04 pm

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janjust » Fri Dec 02, 2011 1:21 pm

I’m not sure I fully understand: how does Internet Explorer use it? what kind of proxy is it? Is this certificate the same certificate as the one need to connect to the VPN server? how would a proxy work over a UDP connection?

Either export the certificate from the MS Certstore or use

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janhoedt » Fri Dec 02, 2011 1:28 pm

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janhoedt » Fri Dec 02, 2011 1:35 pm

If I add the certificate, I get the message (also copied the cert to there were certificate for my openvpn-server is):

Fri Dec 02 14:33:59 2011 us=343000 Cannot load certificate «SUBJ: » from Microsoft Certificate Store: error:C5065064:microsoft cryptoapi:CertFindCertificateInStore:Cannot find object or property.
Fri Dec 02 14:33:59 2011 us=343000 Exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janjust » Fri Dec 02, 2011 1:36 pm

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janhoedt » Fri Dec 02, 2011 1:39 pm

Sorry, changed configfile that much that original here is not correct.
This one is the one I’m using now:

dev tun
tls-client

#remote openvpn 80
remote myopenvpn 8080

#auto-proxy
http-proxy 10.x.x.x 80

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janhoedt » Fri Dec 02, 2011 1:41 pm

It cannot load the certificate for the proxy:

Fri Dec 02 14:39:47 2011 us=406000 OpenVPN 2.1.4 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on May 13 2011
Fri Dec 02 14:39:56 2011 us=78000 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 02 14:39:56 2011 us=78000 NOTE: the current —script-security setting may allow this configuration to call user-defined scripts
Fri Dec 02 14:39:56 2011 us=265000 Cannot load certificate «SUBJ: » from Microsoft Certificate Store: error:C5065064:microsoft cryptoapi:CertFindCertificateInStore:Cannot find object or property.
Fri Dec 02 14:39:56 2011 us=265000 Exiting
Fri Dec 02 14:39:56 2011 us=265000 Closing Win32 semaphore ‘openvpn_netcmd’

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janjust » Fri Dec 02, 2011 1:47 pm

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janhoedt » Fri Dec 02, 2011 1:57 pm

I added with/without brackets, with/without SUBJ, no changes.
However, I have a user and a computer certstore, I guess I need to use the computer one?

Fri Dec 02 14:53:05 2011 us=765000 Cannot load certificate «HOEDT JAN» from Microsoft Certificate Store (OpenSSL)

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janjust » Fri Dec 02, 2011 2:12 pm

if openvpn is running as a service it uses the computer store; if openvpn is running as a «regular» process then it uses the user store.
you can also specify the certificate using the THUMB tag:

Re: SIGTERM[soft,init_instance] received, process exiting

Post by janhoedt » Fri Dec 02, 2011 2:18 pm

Источник

Форум КриптоПро
»
Средства криптографической защиты информации
»
Встраивание
»
Проблема получения сертификата подписчика — CertFindCertificateInStore

cplusplus	#1 Оставлено : 27 апреля 2009 г. 1:07:07(UTC)
Статус: Участник Группы: Участники Зарегистрирован: 25.04.2009(UTC) Сообщений: 12	Делаю как в MSDN. При вызове функции CertFindCertificateInStore не находит сертификата в «Личных» сертификатах. который называетя Gafarov_Artur. Поле «Субъект» в сертификате: STREET = пр.Ленина, 40 CN = Gafarov_Artur O = ЦТБ L = Томск S = Томская C = RU Ну и вот сам код. Код: // Открытие хранилища сертификатов. // CertOpenStore - http://msdn.microsoft.com/en-us/library/aa376559(VS.85).aspx if ( hCertStore = CertOpenStore( CERT_STORE_PROV_SYSTEM, 0, // encoding type. 0 или X509_ASN_ENCODING \| PKCS_7_ASN_ENCODING, NULL, CERT_SYSTEM_STORE_CURRENT_USER, L"MY")) printf("The MY store is opened"); else printf("The MY store could not be opened."); LPWSTR lpszCertSubject = L"Gafarov_Artur"; // Get the certificate for the signer. if(pSignerCertContext = CertFindCertificateInStore( hCertStore, MY_ENCODING_TYPE, 0, CERT_FIND_SUBJECT_STR, lpszCertSubject, NULL)) printf("%s%d%s","Certificate",lpszCertSubject," was found"); // на эту строку внимания не обращайте, // я даже не знаю как ее правильно писать, я cout использую else { printf("%s%d%s","Certificate",lpszCertSubject," not found"); exit(1); } я может и совсем глупую ошибку сделал. но прошу объяснения, пожалуйста
Природа — МАТЬ, и её надо беречь!

cplusplus	#2 Оставлено : 29 апреля 2009 г. 15:49:14(UTC)
Статус: Участник Группы: Участники Зарегистрирован: 25.04.2009(UTC) Сообщений: 12	Если применяю CERT_FIND_ANY вместо CERT_FIND_SUBJECT_STR, то сертификат вроде находит, но вызов следующей функции показывает другой сертификат, не то что я искал: Код: `if(CertGetNameString( pSignerCertContext , CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, pszNameString, MAX_NAME) > 1) { cout - "The SIMPLE_DISPLAY_TYPE message signer's name is " - pszNameString - endl; _tprintf( TEXT("The SIMPLE_DISPLAY_TYPE message signer's name is ") TEXT("%s n"), pszNameString); } else { MyHandleError( TEXT("Getting the name of the signer failed.n")); }` у меня два сертификата стоит, вот он следующий и показывает. как быть?
Природа — МАТЬ, и её надо беречь!

Kirill Sobolev	#3 Оставлено : 29 апреля 2009 г. 18:33:58(UTC)
Статус: Сотрудник Группы: Участники Зарегистрирован: 25.12.2007(UTC) Сообщений: 1,732 Откуда: КРИПТО-ПРО Поблагодарили: 177 раз в 168 постах	А MY_ENCODING_TYPE что такое? CERT_FIND_ANY находит просто любой сертификат, критерии поиска не учитываются.
Техническую поддержку оказываем тут Наша база знаний
	WWW

cplusplus	#4 Оставлено : 10 мая 2009 г. 2:13:24(UTC)
Статус: Участник Группы: Участники Зарегистрирован: 25.04.2009(UTC) Сообщений: 12	#define MY_ENCODING_TYPE (PKCS_7_ASN_ENCODING \| X509_ASN_ENCODING)
Природа — МАТЬ, и её надо беречь!

Kirill Sobolev	#5 Оставлено : 12 мая 2009 г. 14:09:56(UTC)
Статус: Сотрудник Группы: Участники Зарегистрирован: 25.12.2007(UTC) Сообщений: 1,732 Откуда: КРИПТО-ПРО Поблагодарили: 177 раз в 168 постах	На сам сертификат «Gafarov_Artur» можно взглянуть?
Техническую поддержку оказываем тут Наша база знаний
	WWW

cplusplus	#6 Оставлено : 19 мая 2009 г. 3:51:45(UTC)
Статус: Участник Группы: Участники Зарегистрирован: 25.04.2009(UTC) Сообщений: 12	вот открытый сертификат. пока я сделал вот так: (и терпимо работает вроде) Код: // Get the certificate for the signer. while (pSignerCertContext = CertEnumCertificatesInStore(hCertStore, pSignerCertContext)) { if (!strcmp(pSignerCertContext->pCertInfo->SubjectPublicKeyInfo.Algorithm.pszObjId, szOID_CP_GOST_R3410EL)) { CertGetNameString( pSignerCertContext , CERT_NAME_SIMPLE_DISPLAY_TYPE, 0, NULL, pszNameString, MAX_NAME); if (!strcmp(pszNameString,CharBuff_Signer)) { // CryptAcquireCertificatePrivateKey – получает дескриптор CSP провайдера // соответствующего сертификата. if(( CryptAcquireCertificatePrivateKey( pSignerCertContext, 0, NULL, &hCryptProv, &dwKeySpec, NULL))) { Form1->Memo1->Lines->Add("CryptAcquireCertificatePrivateKey выполнилась успешно"); break; } else { Form1->Memo1->Lines->Add("Error CryptAcquireCertificatePrivateKey"); break; } } } } Отредактировано пользователем 19 мая 2009 г. 3:55:00(UTC) \| Причина: Не указана Вложение(я): Gafarov_Artur.cer (2kb) загружен 27 раз(а). У Вас нет прав для просмотра или загрузки вложений. Попробуйте зарегистрироваться.
Природа — МАТЬ, и её надо беречь!

Kirill Sobolev	#7 Оставлено : 19 мая 2009 г. 15:40:21(UTC)
Статус: Сотрудник Группы: Участники Зарегистрирован: 25.12.2007(UTC) Сообщений: 1,732 Откуда: КРИПТО-ПРО Поблагодарили: 177 раз в 168 постах	Странно. У меня этот код находит этот сертификат в личных без проблем (WS 2003 R2, VS 2008).
Техническую поддержку оказываем тут Наша база знаний
	WWW

Максим Коллегин	#8 Оставлено : 19 мая 2009 г. 15:48:59(UTC)
Статус: Сотрудник Группы: Администраторы Зарегистрирован: 12.12.2007(UTC) Сообщений: 6,255 Откуда: КРИПТО-ПРО Сказал «Спасибо»: 21 раз Поблагодарили: 660 раз в 583 постах	Код: `//ошибка или недоработка в wincrypt.h #ifdef CERT_FIND_SUBJECT_STR # undef CERT_FIND_SUBJECT_STR # undef CERT_FIND_ISSUER_STR # ifdef _UNICODE # define CERT_FIND_SUBJECT_STR CERT_FIND_SUBJECT_STR_W # define CERT_FIND_ISSUER_STR CERT_FIND_ISSUER_STR_W # else # define CERT_FIND_SUBJECT_STR CERT_FIND_SUBJECT_STR_A # define CERT_FIND_ISSUER_STR CERT_FIND_ISSUER_STR_A # endif // !UNICODE #endif`
Знания в базе знаний, поддержка в техподдержке
	WWW

cplusplus	#9 Оставлено : 19 мая 2009 г. 16:20:12(UTC)
Статус: Участник Группы: Участники Зарегистрирован: 25.04.2009(UTC) Сообщений: 12	Kirill Sobolev написал: Странно. У меня этот код находит этот сертификат в личных без проблем (WS 2003 R2, VS 2008). У меня C++CodeGear 2009, пробывал и в VS 2008. Там тоже не сработала. Виндовс ХР, СП 3.
Природа — МАТЬ, и её надо беречь!

cplusplus	#10 Оставлено : 19 мая 2009 г. 16:22:30(UTC)
Статус: Участник Группы: Участники Зарегистрирован: 25.04.2009(UTC) Сообщений: 12	maxdm написал: Код: `//ошибка или недоработка в wincrypt.h #ifdef CERT_FIND_SUBJECT_STR # undef CERT_FIND_SUBJECT_STR # undef CERT_FIND_ISSUER_STR # ifdef _UNICODE # define CERT_FIND_SUBJECT_STR CERT_FIND_SUBJECT_STR_W # define CERT_FIND_ISSUER_STR CERT_FIND_ISSUER_STR_W # else # define CERT_FIND_SUBJECT_STR CERT_FIND_SUBJECT_STR_A # define CERT_FIND_ISSUER_STR CERT_FIND_ISSUER_STR_A # endif // !UNICODE #endif` Можно здесь подробнее??? У меня в винкрипт.h нет даже строки #ifdef CERT_FIND_SUBJECT_STR.
Природа — МАТЬ, и её надо беречь!

Пользователи, просматривающие эту тему

Guest

Быстрый переход

Вы не можете создавать новые темы в этом форуме.

Вы не можете отвечать в этом форуме.

Вы не можете удалять Ваши сообщения в этом форуме.

Вы не можете редактировать Ваши сообщения в этом форуме.

Вы не можете создавать опросы в этом форуме.

Вы не можете голосовать в этом форуме.

Источник

Got a problem with Viscosity or need help? Ask here!

freddy1975: Posts: 2; Joined: Mon Mar 11, 2013 8:23 pm

Hi,

I saved my client certificate in the Windows Certificate Store and use the command <cryptoapicert «SUBJ:client2»> in the ovpn-configuration file. This works with OpenVPN 2.2.2 and OpenVPN GUI.

When I try to start this configuration with Viscosity the connection fails and I can see the following error in the log file: «Cannot load certificate «SUBJ:client2″ from Microsoft Certificate Store: error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Das Zertifikat und der private Schlüssel für die Entschlüsselung wurden nicht gefunden.» Viscosity works fine, when the certificate files are in the file system (ca *.crt / key client2.key / cert client2.crt in the configuration file).

I’m working with Windows 7 64bit. I saved the client certificates in Windows Certificate Store in the personal certificate store and in the computer’s certificate store. Even it’s not necessary for OpenVPN 2.2.2 I saved the ca certificate in
the Trusted Root Certification Authorities. I also tried to start Viscosity with administrator privileges.

Eric: Posts: 1146; Joined: Sun Jan 03, 2010 3:27 am

Post
by Eric » Mon Mar 11, 2013 10:01 pm

Hi freddy1975,

No matter what user you run Viscosity with, OpenVPN is going to be started as the user SYSTEM by ViscosityService, so storing the certificates in Personal probably isn’t going to work (even though it should).

The error you are getting indicates that there is something wrong with the certificate, specifically that it cannot find the certificate or private key to decrypt your certificate with. The CA file will be required in order for your certificate to be usable unless you are using a p12 bundle.

The best thing to try first is to delete all copies of all your certificates relating to your OpenVPN connection and then store a single working copy of them in the Trusted People container (off memory this is accessible to all users). Also try setting Viscosity to use OpenVPN 2.2 as you had this working successfully before. To do this, open Viscosity Preferences, go to the Advanced tab and select 2.2 in the OpenVPN version drop down.

Let us know if any of this helps.

Regards,

Eric

freddy1975: Posts: 2; Joined: Mon Mar 11, 2013 8:23 pm

Hi Eric,

thanks for your quick reply.

The problem seems to be a little bit strange. I guess it’s a problem with windows rights management.

As you told me, I deleted all OpenVPN related certificates and stored it first in My Trusted People Container and tried it. After that I moved the certificate to my computer’s Trusted People Container which didn’t work as well (I tried this with Automatic, V 2.2 and V 2.3 OpenVPN configuration in Viscosity). By the way my separate OpenVPN 2.2.2 installation didn’t work either with the certificates in the Trusted People Container.

So I put the certificate back to My Personal Container and started the Viscosity service with my user rights (admin). This
solution works. But I’d rather start it with system rights as preconfigured.

Do you have any ideas?

Eric: Posts: 1146; Joined: Sun Jan 03, 2010 3:27 am

Hi freddy1975,

I apologise for the delayed reply.

Unfortunately running the service as Admin might be the only way at the moment unless you can locate a certificate store that the System user can access and read. I’ve gone through the MS Documentation about the Certificate Manager and have found nothing that points me to a solution.

We will also do some investigation to see if we can allow an option for OpenVPN to be started as a particular user rather than System to allow a solution to this down the line.

Regards,

Eric

Flamme_2: Posts: 1; Joined: Fri Apr 24, 2020 12:29 am

Hi everybody.

I have the same problem and I found a workaround.
Yes, I known, this post is outdated, but Google return this post in first result if you search this :
«cryptoapicert can’t find crypto api viscosity»

And, if like me you have the problem, you can try fix by follow theses steps :

1- Import your certificat in your Certificate data store. For the test, I have imported both, in User and Computer Datastore.

2 — Configure in Viscosity, cryptoapicert option to use THUMB instead SUBJ

Like this :
cryptoapicert «THUMB:c01……..»

See documentation here :
https://www.sparklabs.com/support/kb/ar … ptoapicert

3 — Try to connect
For me, it’s work only with THUMB not with SUBJ

How find THUMB ?
You can find THUMB in your certificate data store :
1 — Execute «mmc» console
2 — File > Add/Remove > Certificates > Add > OK
3 — Go to Personal > Certificates > «Your certificate»
4 — Go to tab «Detail», in end of list get and copy value of «Thumbprint»
5 — Replace cryptoapicert line by
cryptoapicert «THUMB:<value of Thumbprint>»

Источник

OpenVPN Support Forum

Cannot load certificate THUMB from Microsoft Certificate Store

Cannot load certificate THUMB from Microsoft Certificate Store

Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store

Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store

Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store

Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store

OpenVPN Support Forum

Cryptoapi error C5065064

Cryptoapi error C5065064

OpenVPN Support Forum

OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.

OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.

Re: OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.

Re: OpenSSL: error:C506D064:microsoft cryptoapi:NCryptSignHash:This smart card does not support the requested feature.

OpenVPN Support Forum

SIGTERM[soft,init_instance] received, process exiting

SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Re: SIGTERM[soft,init_instance] received, process exiting

Читайте также: