-
jimmyp82
- OpenVpn Newbie
- Posts: 3
- Joined: Wed Jun 30, 2021 10:44 am
OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
Hello
New to this forum and very new to openvpn. I have inherited a setup so am trying to get my head around it. We have a user which is having an issue connecting. Below is the log from the user.
Prior to this he was getting a different error about the certificate having expired.
I found that the client cert was still valid however the ca.crt and the gateway.crt on the server were both out of date. I used this command —
Code: Select all
openssl x509 -in ca.crt -days 36500 -out ca_new.crt -signkey ca.keyto sign a new ca.crt and a gateway.crt which I replaced, ie renamed the old crt and put the new ca.crt in place. I also sent the user the updated ca.crt.
After having done that however the user now gets the error below —
Code: Select all
Wed Jun 30 11:30:07 2021 WARNING: --ns-cert-type is DEPRECATED. Use --remote-cert-tls instead.
Wed Jun 30 11:30:07 2021 MANAGEMENT: >STATE:1625045407,RESOLVE,,,,,,
Wed Jun 30 11:30:07 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]XXXXXXXXX:XXXX
Wed Jun 30 11:30:07 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Wed Jun 30 11:30:07 2021 Attempting to establish TCP connection with [AF_INET]XXXXXXXXX:XXXX [nonblock]
Wed Jun 30 11:30:07 2021 MANAGEMENT: >STATE:1625045407,TCP_CONNECT,,,,,,
Wed Jun 30 11:30:08 2021 TCP connection established with [AF_INET]XXXXXXXXX:XXXX
Wed Jun 30 11:30:08 2021 TCP_CLIENT link local: (not bound)
Wed Jun 30 11:30:08 2021 TCP_CLIENT link remote: [AF_INET]XXXXXXXXX:XXXX
Wed Jun 30 11:30:08 2021 MANAGEMENT: >STATE:1625045408,WAIT,,,,,,
Wed Jun 30 11:30:09 2021 MANAGEMENT: >STATE:1625045409,AUTH,,,,,,
Wed Jun 30 11:30:09 2021 TLS: Initial packet from [AF_INET]XXXXXXXXX:XXXX, sid=4b062365 dc720dc0
Wed Jun 30 11:30:09 2021 VERIFY OK: depth=1, C=UK, ST=UK, L=London, O=XXXXXXXXX, CN=gateway, emailAddress=XXXXXXXXX
Wed Jun 30 11:30:09 2021 VERIFY ERROR: depth=0, error=certificate signature failure: C=UK, ST=UK, L=London, O=XXXXXXX, CN=gateway, emailAddress=XXXXXXXXXXX
Wed Jun 30 11:30:09 2021 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Wed Jun 30 11:30:09 2021 TLS_ERROR: BIO read tls_read_plaintext error
Wed Jun 30 11:30:09 2021 TLS Error: TLS object -> incoming plaintext read error
Wed Jun 30 11:30:09 2021 TLS Error: TLS handshake failed
Wed Jun 30 11:30:09 2021 Fatal TLS error (check_tls_errors_co), restarting
Wed Jun 30 11:30:09 2021 SIGUSR1[soft,tls-error] received, process restarting
Wed Jun 30 11:30:09 2021 MANAGEMENT: >STATE:1625045409,RECONNECTING,tls-error,,,,,
Wed Jun 30 11:30:09 2021 Restart pause, 5 second(s)Any help much appreciated!
Thanks
James
-
jimmyp82
- OpenVpn Newbie
- Posts: 3
- Joined: Wed Jun 30, 2021 10:44 am
Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
Post
by jimmyp82 » Thu Jul 01, 2021 8:48 am
Hello
Thanks for the reply!
So you mean everything has to be recreated again, ie CA and gateway and client crts and the keys as well?
Thanks
-
300000
- OpenVPN Expert
- Posts: 688
- Joined: Tue May 01, 2012 9:30 pm
Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
Post
by 300000 » Thu Jul 01, 2021 10:58 am
If you create new CA key so you need create new client key too . nothing you can do or there is nothing about renew certificate . what do you expect now? do it again on 10 years time then do it again . every 10 years you need to do this .
-
openvpn_inc
- OpenVPN Inc.
- Posts: 1137
- Joined: Tue Feb 16, 2021 10:41 am
Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
Post
by openvpn_inc » Thu Jul 01, 2021 3:36 pm
300000 wrote: ↑
Thu Jul 01, 2021 10:58 am
If you create new CA key so you need create new client key too . nothing you can do or there is nothing about renew certificate . what do you expect now? do it again on 10 years time then do it again . every 10 years you need to do this .
10 years is just long enough to forget how to do it. 
Strictly speaking, a new CA certificate means you need a new set of certificates, not keys. Existing keys (CA, server and clients) can generate new CSRs (certificate signing requests) to be signed by the CA and create the new certificates.
If the CA is creating the keys for the users, this distinction might not be important to you. But when my own 10-year CA cert expired I kept the same keys.
Regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11142
- Joined: Fri Jun 03, 2016 1:17 pm
Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
Post
by TinCanTech » Thu Jul 01, 2021 4:46 pm
openvpn_inc wrote: ↑
Thu Jul 01, 2021 3:36 pm
when my own 10-year CA cert expired I kept the same keys
That is fine for you but is probably not a good idea for most average users.
It is not documented by any openvpn articles that I’ve seen and even Easy-RSA does not have anything solid to follow ..
-
jimmyp82
- OpenVpn Newbie
- Posts: 3
- Joined: Wed Jun 30, 2021 10:44 am
Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
Post
by jimmyp82 » Fri Jul 02, 2021 12:05 pm
Hello
I got a bit further, now testing with a new client i have setup on a laptop however getting this —
Fri Jul 02 04:59:12 2021 WARNING: —ns-cert-type is DEPRECATED. Use —remote-cert-tls instead.
Fri Jul 02 04:59:12 2021 MANAGEMENT: >STATE:1625227152,RESOLVE,,,,,,
Fri Jul 02 04:59:12 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XX:1194
Fri Jul 02 04:59:12 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Jul 02 04:59:12 2021 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XX:1194 [nonblock]
Fri Jul 02 04:59:12 2021 MANAGEMENT: >STATE:1625227152,TCP_CONNECT,,,,,,
Fri Jul 02 05:01:13 2021 TCP: connect to [AF_INET]XXX.XXX.XXX.XX1194 failed: Unknown error
Fri Jul 02 05:01:13 2021 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Fri Jul 02 05:01:13 2021 MANAGEMENT: >STATE:1625227273,RECONNECTING,init_instance,,,,,
Fri Jul 02 05:01:13 2021 Restart pause, 5 second(s)
Fri Jul 02 05:01:18 2021 WARNING: —ns-cert-type is DEPRECATED. Use —remote-cert-tls instead.
Fri Jul 02 05:01:18 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XX:1194
Fri Jul 02 05:01:18 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Jul 02 05:01:18 2021 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XX:1194 [nonblock]
Fri Jul 02 05:01:18 2021 MANAGEMENT: >STATE:1625227278,TCP_CONNECT,,,,,,
-
openvpn_inc
- OpenVPN Inc.
- Posts: 1137
- Joined: Tue Feb 16, 2021 10:41 am
Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
Post
by openvpn_inc » Sat Jul 03, 2021 1:19 pm
jimmyp82 wrote: ↑
Fri Jul 02, 2021 12:05 pm
HelloI got a bit further, now testing with a new client i have setup on a laptop however getting this —
Fri Jul 02 04:59:12 2021 WARNING: —ns-cert-type is DEPRECATED. Use —remote-cert-tls instead.
Fix this, that should be easy enough to do, see the manual and look for «—remote-cert-tls«.
jimmyp82 wrote: ↑
Fri Jul 02, 2021 12:05 pm
Fri Jul 02 04:59:12 2021 MANAGEMENT: >STATE:1625227152,RESOLVE,,,,,,
Fri Jul 02 04:59:12 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XX:1194
Fri Jul 02 04:59:12 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Jul 02 04:59:12 2021 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XX:1194 [nonblock]
Fri Jul 02 04:59:12 2021 MANAGEMENT: >STATE:1625227152,TCP_CONNECT,,,,,,
Fri Jul 02 05:01:13 2021 TCP: connect to [AF_INET]XXX.XXX.XXX.XX1194 failed: Unknown error
Here you have a TCP connection failing for an unknown reason. It’s unfortunate that more information could not be logged, but openvpn simply could not determine the actual failure. If the connection is not established, the problem almost surely lies outside of openvpn.
Our IRC channel /topic says, «The problem is your firewall, really.» That’s the chief suspect here, and note that it could be a firewall anywhere along the way between (or on client and server. Look at other tools like tcpdump(1) to see more about what the problem might be. Your nc(1) or netcat(1) utility can help you test.
I should add, TCP is generally not recommended for openvpn. It should normally only be used when getting through silly firewalls that you don’t control. Packet loss of a TCP stream inside another TCP stream rapidly snowballs into more and more packets being repeated at both levels. UDP is ideal for things like this.
I hope this helps, good luck. Regards, rob0
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
v.2.4.5 cannot connect to already configured VPN servers with self-signed certificates showing the error like «OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed».
2.4.4 connects OK with the same server settings and ovpn configuration files.
2.4.5 is built with openssl 1.1.0 so it will reject weak signature algorithms like MD5 — If that is the case, the logs will show a line above the one you posted with «VERIFY ERROR: ….. signature digest algorithm too weak»
If so, try to convince the server admin to upgrade the server certificate. No excuse for using MD5 in certificates. If that is not an option you could run with --tls-cipher DEFAULT:@SECLEVEL=0, but its not recommended.
I am not sure about MD5, anyway — VPN server is working on Asus router and I don’t know will it allow to change signature algorithm.
tls-cipher DEFAULT:@SECLEVEL=0 works good, thank you.
SECLEVEL=0 is only a temporary quick fix — do not use it as a long-term solution.
I am going to discuss it with firmware developer.
@selvanair This is exactly what we need: a short temporary fix, but that’s the only solution ATM until we can regenerate our certificates.
Can you please help me set this up?
I’m on openSUSE and i just can’t connect to VPN. Where do i set this? I’ve looked everywhere (except in the right place, naturally)
You add that option to the client config.
@selvanair Yes, but where’s that? In command Line? on the config file? On NetworkManager?
Let me say this first: working around MD5 certificates is not the right solution — especially so for someone who has no clue how to add a config option. Get the server admin to update the certificate.
That said, config options can go into the command line or the config file. Front ends like NM have their own way of inputting options and not all options may be supported that way — but eventually the option has to end up on the command line or the config file of the openvpn process. I’ve no idea how you are running openvpn on your SUSE desktop. I use Debian and all my configs are text files in /etc/openvpn/ in case that helps.
Anyway, if you are not asking about OpenVPN Windows GUI, this is the wrong place:) Seeking help in the users IRC channel (openvpn on irc.freenode.net) may be more appropriate — also see https://community.openvpn.net/openvpn/wiki/GettingHelp
I understand your concerns and i thank you for your advice! 
I only asked where/how because i already tried all the steps you talked about before starting to ask for help…
i tried the terminal — that somehow does not allow me to use the command, and adding the config option to the file you mentioned (that in SUSE is in that directory as well). Using NM, i do not find any place i can use to either activate the option or set the command to be used.
That «weird» results are the reason i asked detailed instructions (going to as simple things as even adding the option to the config file). I think i should be humble enough to consider that it i that is doing some small detail wrongly.
That said, i’ll try to get around this in irc, then. Thank you for reply & help
We do not have any MD5 signed certificates. Would the same error be thrown when the local CA is signed with SHA1, but the client certificate is signed SHA256? I believe the WEBCA forum mentioned this problem over a year ago.
SHA1 is considered too weak and has been deprecated as well. SHA256 should be good.
Hi,
On Sat, Oct 06, 2018 at 08:39:30AM -0700, ssameer wrote:
SHA1 is considered too weak and has been deprecated as well. SHA256 should be good.
For HMAC usage, SHA1 is still fine. Just not for certificates.
Even MD5 hasn’t been broken *for HMAC*.
gert
…
—
«If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor.»
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering — Munich, Germany gert@greenie.muc.de
Actually, the bug in the openvpn is that it output something like
TLS_ERROR: BIO read tls_read_plaintext error
instead of human-readable message about low security of MD5 hashes. This should be fixed.
If the error is due to weak hash in the certificate, the logs will also show something like: «VERIFY ERROR: ….. signature digest algorithm too weak».
Содержание
- Клиенты не подключаются к OpenVPN на микротике.
- OpenVPN Support Forum
- OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
- OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
- Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
- Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
- Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
- Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
- Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
- Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
- Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
- SSL3 error when requesting connection using TLS 1.2
- 2 Answers 2
- OpenVPN Support Forum
- OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
- OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Клиенты не подключаются к OpenVPN на микротике.
Не подключаются клиенты (linux) к OpenVPN серверу на микротике.
Сертификаты для сервера и клиентов созданы? Сертификат сервера в микротык импортирован? Клиентские сертификаты клиентам розданы? ca.crt и серверу, и клиентам роздан?
Да. Все сертификаты на местах.
А кроме этого ворнинга какая-нибудь еще ругань есть? Микротык в log print что-нибудь говорит?
Если я все правильно понимаю, то клиенту недоступен либо чем-то не нравится ca.crt.
понять бы, чем не нравится..
Может все-таки конфиги покажем?
Микротик настраивался по статье на хабре.
1. Про серверный мы видимо должны догадаться.
2. смотрите что у вас в /etc/openvpn/ca.crt и сравните с серверным
3. Микротик настраивался по статье на хабре. — про которую мы видимо тоже должны догадаться.
ЗЫ Даты на клиенте и сервере все-таки тоже проверьте.
Буквально на днях цеплял еще одного клиента к рабочему ovpn’у. Один момент — клиент на windows. Была точно такая же ошибка, хотя конфиг и все остальное было взято с рабочего клиента. Вопрос решился установкой другой версии openvpn. Скачивал с сайта текущий 2.3.11 — с ним не шло. Поставил 2.3.10 — сразу все подключилось. Что-то они там с SSL в клиенте сделали.
Клиентский конфиг и примеры рабочих корневого и клиентского сертификатов можете скинуть?
Вообще они немного разные, но как минимум ns-cert-type server пробовали раскоментировать?
Клиентский конфиг и примеры рабочих корневого и клиентского сертификатов можете скинуть?
И ключи от квартиры где деньги лежат?
да. результат тот же.
Посмотрите от кого запускается openvpn может ему /etc/openvpn/ca.crt не доступен.
Я и имел ввиду сгенерировать новые, но с теми же параметрами (nsCertType, keyUsage,keyCertSign, authorityKeyIdentifier, и.т.д) как у рабочих.
запускал и от рута и от обычного пользователя.
btw не нулевая вероятность. Сам не сталкивался, но читал про такое.
Хотя больше предполагаю, что проблема была как обычно в самом конфиге (устаревшие/изменившие поведение/добавленные параметры). Вы лог клиента не пробовали читать?
Возможно в самом openvpn (мы же только догадываемся) захаркоден конкретный юзвер:группа, например openvpn:openvpn.
Вообще микротик насколько я слышал, та еще пакость во многих частях. Попробуйте все-таки полностью хотя по одной из инструкций сделать (они реально разные) а у вас если смотреть наискосок вроде как помесь уже.
Как уже выше писал dexpl проблема явно в одном:
Fri Jun 10 21:46:52 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca: error:140940E5:SSL routines:SSL3_READ_BYTES:ssl handshake failure
Что вы сделали не так, честно говоря я хз. Сливаюсь. Может знатоки микротика подтянуться, не нулевая вероятность что вы совсем не ca.crt выложили или не в том формате.
У меня эта проблема вылезла, после того как обновился openvpn-клиент в федоре. Теперь не могу к серверам на микротиках подключаться. А вот к старому серверу на линуксе вполне ок. Буду разбираться.
Источник
OpenVPN Support Forum
Community Support Forum
OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
Post by jimmyp82 » Wed Jun 30, 2021 10:58 am
New to this forum and very new to openvpn. I have inherited a setup so am trying to get my head around it. We have a user which is having an issue connecting. Below is the log from the user.
Prior to this he was getting a different error about the certificate having expired.
I found that the client cert was still valid however the ca.crt and the gateway.crt on the server were both out of date. I used this command —
to sign a new ca.crt and a gateway.crt which I replaced, ie renamed the old crt and put the new ca.crt in place. I also sent the user the updated ca.crt.
After having done that however the user now gets the error below —
Any help much appreciated!
Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
Post by TinCanTech » Wed Jun 30, 2021 4:43 pm
Your CA has expired. You need to start all over again from scratch.
Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
Post by jimmyp82 » Thu Jul 01, 2021 8:48 am
Thanks for the reply!
So you mean everything has to be recreated again, ie CA and gateway and client crts and the keys as well?
Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
Post by 300000 » Thu Jul 01, 2021 10:58 am
Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
Post by openvpn_inc » Thu Jul 01, 2021 3:36 pm
10 years is just long enough to forget how to do it.
Strictly speaking, a new CA certificate means you need a new set of certificates, not keys. Existing keys (CA, server and clients) can generate new CSRs (certificate signing requests) to be signed by the CA and create the new certificates.
If the CA is creating the keys for the users, this distinction might not be important to you. But when my own 10-year CA cert expired I kept the same keys.
Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
Post by TinCanTech » Thu Jul 01, 2021 4:46 pm
That is fine for you but is probably not a good idea for most average users.
It is not documented by any openvpn articles that I’ve seen and even Easy-RSA does not have anything solid to follow ..
Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
Post by jimmyp82 » Fri Jul 02, 2021 12:05 pm
I got a bit further, now testing with a new client i have setup on a laptop however getting this —
Fri Jul 02 04:59:12 2021 WARNING: —ns-cert-type is DEPRECATED. Use —remote-cert-tls instead.
Fri Jul 02 04:59:12 2021 MANAGEMENT: >STATE:1625227152,RESOLVE.
Fri Jul 02 04:59:12 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XX:1194
Fri Jul 02 04:59:12 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Jul 02 04:59:12 2021 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XX:1194 [nonblock]
Fri Jul 02 04:59:12 2021 MANAGEMENT: >STATE:1625227152,TCP_CONNECT.
Fri Jul 02 05:01:13 2021 TCP: connect to [AF_INET]XXX.XXX.XXX.XX1194 failed: Unknown error
Fri Jul 02 05:01:13 2021 SIGUSR1[connection failed(soft),init_instance] received, process restarting
Fri Jul 02 05:01:13 2021 MANAGEMENT: >STATE:1625227273,RECONNECTING,init_instance.
Fri Jul 02 05:01:13 2021 Restart pause, 5 second(s)
Fri Jul 02 05:01:18 2021 WARNING: —ns-cert-type is DEPRECATED. Use —remote-cert-tls instead.
Fri Jul 02 05:01:18 2021 TCP/UDP: Preserving recently used remote address: [AF_INET]XXX.XXX.XXX.XX:1194
Fri Jul 02 05:01:18 2021 Socket Buffers: R=[65536->65536] S=[65536->65536]
Fri Jul 02 05:01:18 2021 Attempting to establish TCP connection with [AF_INET]XXX.XXX.XXX.XX:1194 [nonblock]
Fri Jul 02 05:01:18 2021 MANAGEMENT: >STATE:1625227278,TCP_CONNECT.
Re: OpenSSL error:1416F086 tls_process_server_certificate:certificate verify failed
Post by openvpn_inc » Sat Jul 03, 2021 1:19 pm
I got a bit further, now testing with a new client i have setup on a laptop however getting this —
Fri Jul 02 04:59:12 2021 WARNING: —ns-cert-type is DEPRECATED. Use —remote-cert-tls instead.
Here you have a TCP connection failing for an unknown reason. It’s unfortunate that more information could not be logged, but openvpn simply could not determine the actual failure. If the connection is not established, the problem almost surely lies outside of openvpn.
Our IRC channel /topic says, » The problem is your firewall, really.» That’s the chief suspect here, and note that it could be a firewall anywhere along the way between (or on client and server. Look at other tools like tcpdump(1) to see more about what the problem might be. Your nc(1) or netcat(1) utility can help you test.
I should add, TCP is generally not recommended for openvpn. It should normally only be used when getting through silly firewalls that you don’t control. Packet loss of a TCP stream inside another TCP stream rapidly snowballs into more and more packets being repeated at both levels. UDP is ideal for things like this.
I hope this helps, good luck. Regards, rob0
Источник
SSL3 error when requesting connection using TLS 1.2
I’ve come across several hosts that throw SSL3 handshake errors even though I explicitly request TLS 1.2. Why is this? Am I using the openssl client wrong?
2 Answers 2
In SSL/TLS, the client does not request a specific protocol version; the client announces the maximum protocol version that it supports, and then the server chooses the protocol version that will be used. Your client does not tell «let’s use TLS 1.2»; it says «I know up to TLS 1.2″.
A client may have its own extra requirements, but there is no room to state them in the ClientHello message. If the client wants to do TLS 1.2 only, then he must announce «up to TLS 1.2» in its ClientHello , and also close the connection if the server responds with a message that says anything else than «let’s do TLS 1.2». In your case, things did not even reach that point: the server responded with a fatal alert 40 («handshake_failure», see the standard). As @dave_thompson_085 points out, this is due to a lack of SNI: this is an extension by which the client documents in its ClientHello message the name of the target server. SNI is needed by some servers because they host several SSL-enabled sites on the same IP address, and need that parameter to know which certificate they should use. The command-line tool openssl s_client can send an SNI with an explicit -servername option.
As @Steffen explained, SSL 3.0 and all TLS versions are quite similar and use the same record format (at least in the early stage of the handshake) so OpenSSL tends to reuse the same functions. Note that since the server does not respond with a ServerHello at all, the protocol version is not yet chosen, and SSL 3.0 is still, at least conceptually, a possibility at that early point of the handshake.
Источник
OpenVPN Support Forum
Community Support Forum
OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Post by Viren » Tue May 24, 2022 4:43 pm
A search before suggested expired certs could be the cause. Certs have been checked and they are valid:
2022-05-24 17:23:29 NOTE: —user option is not implemented on Windows
2022-05-24 17:23:29 NOTE: —group option is not implemented on Windows
2022-05-24 17:23:29 —cipher is not set. Previous OpenVPN version defaulted to BF-CBC as fallback when cipher negotiation failed in this case. If you need this fallback please add ‘—data-ciphers-fallback BF-CBC’ to your configuration and/or add BF-CBC to —data-ciphers.
2022-05-24 17:23:29 OpenVPN 2.5.6 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on May 12 2022
2022-05-24 17:23:29 Windows version 10.0 (Windows 10 or greater) 64bit
2022-05-24 17:23:29 library versions: OpenSSL 1.1.1o 3 May 2022, LZO 2.10
2022-05-24 17:23:32 WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
2022-05-24 17:23:32 TCP/UDP: Preserving recently used remote address: [AF_INET]51.75.161.142:1194
2022-05-24 17:23:32 UDP link local (bound): [AF_INET][undef]:1194
2022-05-24 17:23:32 UDP link remote: [AF_INET]51.75.161.142:1194
2022-05-24 17:23:32 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2022-05-24 17:23:32 TLS_ERROR: BIO read tls_read_plaintext error
2022-05-24 17:23:32 TLS Error: TLS object -> incoming plaintext read error
2022-05-24 17:23:32 TLS Error: TLS handshake failed
2022-05-24 17:23:32 SIGUSR1[soft,tls-error] received, process restarting
2022-05-24 17:23:37 TCP/UDP: Preserving recently used remote address: [AF_INET]51.75.161.142:1194
2022-05-24 17:23:37 UDP link local (bound): [AF_INET][undef]:1194
2022-05-24 17:23:37 UDP link remote: [AF_INET]51.75.161.142:1194
2022-05-24 17:23:38 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2022-05-24 17:23:38 TLS_ERROR: BIO read tls_read_plaintext error
2022-05-24 17:23:38 TLS Error: TLS object -> incoming plaintext read error
2022-05-24 17:23:38 TLS Error: TLS handshake failed
2022-05-24 17:23:38 SIGUSR1[soft,tls-error] received, process restarting
2022-05-24 17:23:43 TCP/UDP: Preserving recently used remote address: [AF_INET]51.75.161.142:1194
2022-05-24 17:23:43 UDP link local (bound): [AF_INET][undef]:1194
2022-05-24 17:23:43 UDP link remote: [AF_INET]51.75.161.142:1194
2022-05-24 17:23:43 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_ACK_V1)
2022-05-24 17:23:44 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_CONTROL_V1)
2022-05-24 17:23:45 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_ACK_V1)
2022-05-24 17:23:47 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_CONTROL_V1)
2022-05-24 17:23:49 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_ACK_V1)
2022-05-24 17:23:51 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_CONTROL_V1)
2022-05-24 17:23:57 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_ACK_V1)
2022-05-24 17:24:01 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_CONTROL_V1)
2022-05-24 17:24:06 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_CONTROL_V1)
2022-05-24 17:24:13 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_ACK_V1)
2022-05-24 17:24:43 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2022-05-24 17:24:43 TLS Error: TLS handshake failed
2022-05-24 17:24:43 SIGUSR1[soft,tls-error] received, process restarting
2022-05-24 17:24:48 TCP/UDP: Preserving recently used remote address: [AF_INET]51.75.161.142:1194
2022-05-24 17:24:48 UDP link local (bound): [AF_INET][undef]:1194
2022-05-24 17:24:48 UDP link remote: [AF_INET]51.75.161.142:1194
2022-05-24 17:24:49 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2022-05-24 17:24:49 TLS_ERROR: BIO read tls_read_plaintext error
2022-05-24 17:24:49 TLS Error: TLS object -> incoming plaintext read error
2022-05-24 17:24:49 TLS Error: TLS handshake failed
2022-05-24 17:24:49 SIGUSR1[soft,tls-error] received, process restarting
2022-05-24 17:24:54 TCP/UDP: Preserving recently used remote address: [AF_INET]51.75.161.142:1194
2022-05-24 17:24:54 UDP link local (bound): [AF_INET][undef]:1194
2022-05-24 17:24:54 UDP link remote: [AF_INET]51.75.161.142:1194
2022-05-24 17:24:54 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2022-05-24 17:24:54 TLS_ERROR: BIO read tls_read_plaintext error
2022-05-24 17:24:54 TLS Error: TLS object -> incoming plaintext read error
2022-05-24 17:24:54 TLS Error: TLS handshake failed
2022-05-24 17:24:54 SIGUSR1[soft,tls-error] received, process restarting
2022-05-24 17:25:04 TCP/UDP: Preserving recently used remote address: [AF_INET]51.75.161.142:1194
2022-05-24 17:25:04 UDP link local (bound): [AF_INET][undef]:1194
2022-05-24 17:25:04 UDP link remote: [AF_INET]51.75.161.142:1194
2022-05-24 17:25:04 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_ACK_V1)
2022-05-24 17:25:06 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_ACK_V1)
2022-05-24 17:25:08 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_CONTROL_V1)
2022-05-24 17:25:10 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_ACK_V1)
2022-05-24 17:25:18 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_CONTROL_V1)
2022-05-24 17:25:18 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_ACK_V1)
2022-05-24 17:25:22 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_CONTROL_V1)
2022-05-24 17:25:34 TLS Error: Unroutable control packet received from [AF_INET]51.75.161.142:1194 (si=3 op=P_ACK_V1)
2022-05-24 17:26:04 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2022-05-24 17:26:04 TLS Error: TLS handshake failed
2022-05-24 17:26:04 SIGUSR1[soft,tls-error] received, process restarting
2022-05-24 17:26:24 TCP/UDP: Preserving recently used remote address: [AF_INET]51.75.161.142:1194
2022-05-24 17:26:24 UDP link local (bound): [AF_INET][undef]:1194
2022-05-24 17:26:24 UDP link remote: [AF_INET]51.75.161.142:1194
2022-05-24 17:26:24 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2022-05-24 17:26:24 TLS_ERROR: BIO read tls_read_plaintext error
2022-05-24 17:26:24 TLS Error: TLS object -> incoming plaintext read error
2022-05-24 17:26:24 TLS Error: TLS handshake failed
2022-05-24 17:26:24 SIGUSR1[soft,tls-error] received, process restarting
2022-05-24 17:27:04 TCP/UDP: Preserving recently used remote address: [AF_INET]51.75.161.142:1194
2022-05-24 17:27:04 UDP link local (bound): [AF_INET][undef]:1194
2022-05-24 17:27:04 UDP link remote: [AF_INET]51.75.161.142:1194
2022-05-24 17:27:04 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2022-05-24 17:27:04 TLS_ERROR: BIO read tls_read_plaintext error
2022-05-24 17:27:04 TLS Error: TLS object -> incoming plaintext read error
2022-05-24 17:27:04 TLS Error: TLS handshake failed
2022-05-24 17:27:04 SIGUSR1[soft,tls-error] received, process restarting
2022-05-24 17:28:24 TCP/UDP: Preserving recently used remote address: [AF_INET]51.75.161.142:1194
2022-05-24 17:28:24 UDP link local (bound): [AF_INET][undef]:1194
2022-05-24 17:28:24 UDP link remote: [AF_INET]51.75.161.142:1194
2022-05-24 17:28:24 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2022-05-24 17:28:24 TLS_ERROR: BIO read tls_read_plaintext error
2022-05-24 17:28:24 TLS Error: TLS object -> incoming plaintext read error
2022-05-24 17:28:24 TLS Error: TLS handshake failed
2022-05-24 17:28:24 SIGUSR1[soft,tls-error] received, process restarting
2022-05-24 17:31:04 TCP/UDP: Preserving recently used remote address: [AF_INET]51.75.161.142:1194
2022-05-24 17:31:04 UDP link local (bound): [AF_INET][undef]:1194
2022-05-24 17:31:04 UDP link remote: [AF_INET]51.75.161.142:1194
2022-05-24 17:31:04 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2022-05-24 17:31:04 TLS_ERROR: BIO read tls_read_plaintext error
2022-05-24 17:31:04 TLS Error: TLS object -> incoming plaintext read error
2022-05-24 17:31:04 TLS Error: TLS handshake failed
2022-05-24 17:31:04 SIGUSR1[soft,tls-error] received, process restarting
#################################################
# Sample OpenVPN 2.0 config file for #
# multi-client server. #
# #
# This file is for the server side #
# of a many-clients one-server #
# OpenVPN configuration. #
# #
# OpenVPN also supports #
# single-machine single-machine #
# configurations (See the Examples page #
# on the web site for more info). #
# #
# This config should work on Windows #
# or Linux/BSD systems. Remember on #
# Windows to quote pathnames and use #
# double backslashes, e.g.: #
# «C:\Program Files\OpenVPN\config\foo.key» #
# #
# Comments are preceded with ‘#’ or ‘;’ #
#################################################
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d
# Which TCP/UDP port should OpenVPN listen on?
# If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one. You will need to
# open up this port on your firewall.
port 1194
# TCP or UDP server?
;proto tcp
proto udp
# «dev tun» will create a routed IP tunnel,
# «dev tap» will create an ethernet tunnel.
# Use «dev tap0» if you are ethernet bridging
# and have precreated a tap0 virtual interface
# and bridged it with your ethernet interface.
# If you want to control access policies
# over the VPN, you must create firewall
# rules for the the TUN/TAP interface.
# On non-Windows systems, you can give
# an explicit unit number, such as tun0.
# On Windows, use «dev-node» for this.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap
dev tun
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel if you
# have more than one. On XP SP2 or higher,
# you may need to selectively disable the
# Windows firewall for the TAP adapter.
# Non-Windows systems usually don’t need this.
;dev-node MyTap
# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key). Each client
# and the server must have their own cert and
# key file. The server and all clients will
# use the same ca file.
#
# See the «easy-rsa» directory for a series
# of scripts for generating RSA certificates
# and private keys. Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see «pkcs12» directive in man page).
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key # This file should be kept secret
# Diffie hellman parameters.
# Generate your own with:
# openssl dhparam -out dh2048.pem 2048
dh /etc/openvpn/dh.pem
# Network topology
# Should be subnet (addressing via IP)
# unless Windows clients v2.0.9 and lower have to
# be supported (then net30, i.e. a /30 per client)
# Defaults to net30 (not recommended)
topology subnet
# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.8.0.0 255.255.255.0
# Maintain a record of client virtual IP address
# associations in this file. If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt
# Configure server mode for ethernet bridging.
# You must first use your OS’s bridging capability
# to bridge the TAP interface with the ethernet
# NIC interface. Then you must manually set the
# IP/netmask on the bridge interface, here we
# assume 10.8.0.4/255.255.255.0. Finally we
# must set aside an IP range in this subnet
# (start=10.8.0.50 end=10.8.0.100) to allocate
# to connecting clients. Leave this line commented
# out unless you are ethernet bridging.
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
# Configure server mode for ethernet bridging
# using a DHCP-proxy, where clients talk
# to the OpenVPN server-side DHCP server
# to receive their IP address allocation
# and DNS server addresses. You must first use
# your OS’s bridging capability to bridge the TAP
# interface with the ethernet NIC interface.
# Note: this mode only works on clients (such as
# Windows), where the client-side TAP adapter is
# bound to a DHCP client.
;server-bridge
# Push routes to the client to allow it
# to reach other private subnets behind
# the server. Remember that these
# private subnets will also need
# to know to route the OpenVPN client
# address pool (10.8.0.0/255.255.255.0)
# back to the OpenVPN server.
;push «route 192.168.10.0 255.255.255.0»
;push «route 192.168.20.0 255.255.255.0»
# To assign specific IP addresses to specific
# clients or if a connecting client has a private
# subnet behind it that should also have VPN access,
# use the subdirectory «ccd» for client-specific
# configuration files (see man page for more info).
# EXAMPLE: Suppose the client
# having the certificate common name «Thelonious»
# also has a small subnet behind his connecting
# machine, such as 192.168.40.128/255.255.255.248.
# First, uncomment out these lines:
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
# Then create a file ccd/Thelonious with this line:
# iroute 192.168.40.128 255.255.255.248
# This will allow Thelonious’ private subnet to
# access the VPN. This example will only work
# if you are routing, not bridging, i.e. you are
# using «dev tun» and «server» directives.
# EXAMPLE: Suppose you want to give
# Thelonious a fixed VPN IP address of 10.9.0.1.
# First uncomment out these lines:
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
# ifconfig-push 10.9.0.1 10.9.0.2
# Suppose that you want to enable different
# firewall access policies for different groups
# of clients. There are two methods:
# (1) Run multiple OpenVPN daemons, one for each
# group, and firewall the TUN/TAP interface
# for each group/daemon appropriately.
# (2) (Advanced) Create a script to dynamically
# modify the firewall in response to access
# from different clients. See man
# page for more info on learn-address script.
;learn-address ./script
# If enabled, this directive will configure
# all clients to redirect their default
# network gateway through the VPN, causing
# all IP traffic such as web browsing and
# and DNS lookups to go through the VPN
# (The OpenVPN server machine may need to NAT
# or bridge the TUN/TAP interface to the internet
# in order for this to work properly).
push «redirect-gateway def1 bypass-dhcp»
# Certain Windows-specific network settings
# can be pushed to clients, such as DNS
# or WINS server addresses. CAVEAT:
# http://openvpn.net/faq.html#dhcpcaveats
# The addresses below refer to the public
# DNS servers provided by opendns.com.
push «dhcp-option DNS 208.67.222.222»
push «dhcp-option DNS 208.67.220.220»
# Uncomment this directive to allow different
# clients to be able to «see» each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server’s TUN/TAP interface.
;client-to-client
# Uncomment this directive if multiple clients
# might connect with the same certificate/key
# files or common names. This is recommended
# only for testing purposes. For production use,
# each client should have its own certificate/key
# pair.
#
# IF YOU HAVE NOT GENERATED INDIVIDUAL
# CERTIFICATE/KEY PAIRS FOR EACH CLIENT,
# EACH HAVING ITS OWN UNIQUE «COMMON NAME»,
# UNCOMMENT THIS LINE OUT.
;duplicate-cn
# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120
# For extra security beyond that provided
# by SSL/TLS, create an «HMAC firewall»
# to help block DoS attacks and UDP port flooding.
#
# Generate with:
# openvpn —genkey tls-auth ta.key
#
# The server and each client must have
# a copy of this key.
# The second parameter should be ‘0’
# on the server and ‘1’ on the clients.
;tls-auth ta.key 0 # This file is secret
tls-crypt /etc/openvpn/myvpn.tlsauth
# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
# Note that v2.4 client/server will automatically
# negotiate AES-256-GCM in TLS mode.
# See also the ncp-cipher option in the manpage
cipher AES-256-CBC
# Enable compression on the VPN link and push the
# option to the client (v2.4+ only, for earlier
# versions see below)
;compress lz4-v2
;push «compress lz4-v2»
# For compression compatible with older clients use comp-lzo
# If you enable it here, you must also
# enable it in the client config file.
;comp-lzo
# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100
# It’s a good idea to reduce the OpenVPN
# daemon’s privileges after initialization.
#
# You can uncomment this out on
# non-Windows systems.
user nobody
group nobody
# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log
# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the «Program FilesOpenVPNlog» directory).
# Use log or log-append to override this default.
# «log» will truncate the log file on OpenVPN startup,
# while «log-append» will append to it. Use one
# or the other (but not both).
;log openvpn.log
;log-append openvpn.log
# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 3
# Silence repeating messages. At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20
# Notify the client that when the server restarts so it
# can automatically reconnect.
explicit-exit-notify 1
So, unsure how to fix this, any help would be appreciated!
Источник
I realized, after posting the below comment under the author’s question, it may prove helpful to offer the code required to generate the server and client certs properly with the correct EKUs.
-
Removing the EKU requirement is a bad idea all around and undermines the security of the VPN — it is not advised under any circumstance. If the «people running our VPN server» is a 3rd party, find another vendor, as they clearly don’t understand what they’re doing. If the individuals are in your company, address it directly with them to properly configure the VPN server, as they also don’t understand what they’re doing. The EKU in question prevents MITM attacks. Please see extendedKeyUsage section in this answer for the EKU definitions
I cover V3 Profiles, KUs, and EKUs within the openssl.cnf in more depth within this answer
VPN Server:
[ v3_vpn_server ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
extendedKeyUsage = critical, serverAuth
subjectAltName = @alt_vpn_server
keyUsage:nonRepudiation: Prevents signing entity from falsely denying some actiondigitalSignature: Used for entity and data origin authentication with integrityThe following two KUs allows use of all ciphers:
Choosing one or the other, and not both, limits the ciphers the server can utilizekeyEncipherment: Used to encrypt symmetric key, which is then transferred to targetkeyAgreement: Enables use of key agreement to establish symmetric key with target
extendedKeuUsage:serverAuth: Server authentication, distinguishing a server clients authenticate against
Required KUs:digitalSignature,keyEnciphermentorkeyAgreement
VPN Client:
[ v3_vpn_client ]
basicConstraints = critical, CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always, issuer:always
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = critical, clientAuth
subjectAltName = @alt_vpn_client
extendedKeuUsage:clientAuth: Client authentication, distinguishing a client as a client only
Required KUs:digitalSignatureand/orkeyAgreement
Посмотрите https://forum.altlinux.org/index.php?topic=8557.msg163936#msg163936
и ниже.
Что-то с ключами.
Создайте по новой. Попробуйте варианты.
Проверьте работу сервера.
В части предложенной ссылки:
Создайте по новой. Попробуйте варианты.
В приведенной ссылке сказано:
Шаг № 1 Получаем готовые файлы
/var/lib/ssl/private/vova.key
/var/lib/ssl/certs/openvpn-client-CA.crt
/var/lib/ssl/certs/vova.cert
А процедура их генерации какая правильная?
Если не «берем ранее полученные» а «если надо добавить windows-клиента», то … ?
Я для генерации использовал создание нового ключа в разделе управления ssl-ключами (через веб-интерфейс) и подписывал полученный ключ в сооветствующем разделе УЦ, далее получил файл ответа (pem), брал подписанный (в примере это vova.cert), файл ключа брал с сервера сертификации и openvpn-client-CA.crt — это pem удостоверяющего центра. Потом забирал файлы по указанным путям полученные сертификаты.
Есть вариант сгенерировать комплект ключей посредством консоли? Так чтобы они выпали в конкретное место?
А также возник вопрос/просьба объяснить алгоритм работы (логику):
Есть УЦ на одной машине, есть openvpn сервер на другой. Как они связаны? Как работает «обновление сертификатов», если я на openvpn-сервере создал сертификат, перенёс его руками на другой ПК и подписал в УЦ — процесс закончился тем, что я получил файл ответа — и дальше что? На сервере я не нашёл «слепка» подписанного сертификата. Если пользователь (или удалённая сеть), скажем по-турецки, ёк, то что? УЦ сменился и всем переделывать сертификаты (ибо не сохранив старый уц мы не можем пересоздать сертификаты, но они работают до окончания срока их работы). А автообновление сертификатов — на кой оно? Только для внутренних сервисов?
И да, сертификат openvpn-сервера подтверждает только логин соединения? Так как всё, что есть у vpn-сервера — это наименование соединения, а сертификат — это только подтверждения принадлежности устанавливающего соединение к имени, которым он предствляется?
Простите, если вопросы покажутся глупыми, но … пока я много чего не понимаю, или не правильно использую.
И вообще, правильно ли я понимаю, что в приведенном примере:
vova.key получаем на сервере сертификации
openvpn-client-CA.crt — корневой сертификат удостоверяющего центра
vova.cert — это файл ответа (исходно pem-файл, получаемый в УЦ)?
I am using PHP v7.2, on Windows 10 Computer and Composer version 1.9.0
composer create-project --prefer-dist laravel/laravel blog
I am trying to install Laravel and start a project using composer but getting the following error
OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
When I run composer diagnose getting below result
PS C:xampphtdocswebstore_services> composer diagnose
Checking platform settings: OK
Checking git settings: OK
Checking http connectivity to packagist: Warning: Accessing 192.168.1xx.2xx over http which is an insecure protocol.
OK
Checking https connectivity to packagist: [ComposerDownloaderTransportException] The "https://repo.packagist.org/packages.json" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
Checking github.com rate limit: FAIL
[ComposerDownloaderTransportException] The "https://api.github.com/rate_limit" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
Checking disk free space: OK
Checking pubkeys:
Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0 87719BA6 8F3BB723 4E5D42D0 84A14642
Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B 0C708369 153E328C AD90147D AFE50952
OK
Checking composer version:
[ComposerDownloaderTransportException]
The "https://getcomposer.org/versions" file could not be downloaded: SSL operation failed with code 1. OpenSSL Error messages:
error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Failed to enable crypto
failed to open stream: operation failed
diagnose
I have tried almost every solution on the Internet
php -r "print_r(openssl_get_cert_locations());"
Result
(
[default_cert_file] => C:usrlocalssl/cert.pem
[default_cert_file_env] => SSL_CERT_FILE
[default_cert_dir] => C:usrlocalssl/certs
[default_cert_dir_env] => SSL_CERT_DIR
[default_private_dir] => C:usrlocalssl/private
[default_default_cert_area] => C:usrlocalssl
[ini_cafile] => C:xamppphpcacert.pem
[ini_capath] => C:xamppphpcacert.pem
)
How will I change the location of default_cert_file in this, Only this is left?
Since I am on Corporate Proxy I have set the env-variable of the proxy.
https_proxy : http://user:pass@host:port
http_proxy : http://user:pass@host:port
After everything I do, it doesn’t help me though.