[Solved] OpenVPN not working in Linux, but in Windows

[Qcumber-some]

Edit2:
The "provider" indeed regenerated the server/CA certificate without sending out new ones to the clients.

Unfortunately, OpenVPN does not include any details of the certificate in the error message (only the subject), so if the subject hasn't changed, in the error it looks like it is looking for the certificate you already have, but it is looking for a different certificate with the same subject.

Got a new .p12 file and it is working now, thanks!



Edit: Sorry people,
I just came around trying the very same again in Windows, and guess what: it doesn't work anymore. I just have to believe the "provider" tinkered again on the server/CA certificates after issuing the client certificates. So, I guess that's kind of "invalid", but not "solved" for now, but many thanks to anyone who read this and wasted their mind power.

Can you tell I am pretty pissed?




Here goes the original text:
Hi there,

hope you can shed some light on an issue I have.

My current Gentoo won't connect to an OpenVPN server. The log shows:

Code: Select all

Mar  3 20:10:17 xxx openvpn[1879]: TLS: Initial packet from [AF_INET]ip:port, sid=xxx xxx
Mar  3 20:10:17 xxx openvpn[1879]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: follows the CA certificate data
Mar  3 20:10:17 xxx openvpn[1879]: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Mar  3 20:10:17 xxx openvpn[1879]: TLS_ERROR: BIO read tls_read_plaintext error
Mar  3 20:10:17 xxx openvpn[1879]: TLS Error: TLS object -> incoming plaintext read error
Mar  3 20:10:17 xxx openvpn[1879]: TLS Error: TLS handshake failed
Mar  3 20:10:17 xxx openvpn[1879]: TCP/UDP: Closing socket

I have read lots and lots of search results from search engines, and it is apparently not one of the easier to spot issues. Following are some more details:

openvpn.conf:

Code: Select all

tls-client
client
dev tun
proto udp
tun-mtu 1400
remote xxx xxx
pkcs12 xxx.p12
cipher BF-CBC
verb 4
ns-cert-type server
askpass

Some more things to know:

• * It DOES work in Win7 with this openvpn.conf (as client.ovpn, without the askpass) with OpenVPN 2.3.18.
  * The server is not controlled by me, but by a "provider" I can not really ask for Linux support or even for a logfile.
  * It also does not work in Ubuntu 16.04 (OpenVPN 2.3.10 and OpenSSL 1.0.2g) or 17.10 (OpenVPN 2.4.x and OpenSSL 1.0.2g) - same error message.
  * My Gentoo box has OpenVPN net-vpn/openvpn-2.4.4 and dev-libs/openssl-1.0.2n .
  * I have tried using the openvpn service as well as openvpn --config client.ovpn.
  * I already tried separating the p12 file to ca.crt, client.key and client.crt, resulting in the same error message.
  * I also tried to install the ca.crt in /etc/ssl/certs and using capath parameter, resulting in the same error message (both with the .p12 and separated).
  * The "server" is rumored to be an IPCop instance and installed not long ago (so probably quite fresh).
  * The .p12 file contains cert, ca-cert and key (protected) as expected.

I expect the problem to be some fundamental difference between the Windows build of OpenVPN and the Linux builds in general, but I can not find anything. Surely somebody must have tried the same?

If you know anything to try, please help

Thank you very much!

[mike155]

Cryptography is difficult. The most difficult part is not the maths, but the stupid and misleading error messages you get from programs and libraries if something doesn't work.

I guess OpenVPN wants to tell you: I was able to establish a connection to the server and the server sent me its server certificate. I tried to verify the server certificate using the CA certificate - and that failed. I won't tell you the reason why it failed, because that would make it too easy for you to fix the problem. Instead, I will give you some stupid messages...

What you can do is: try to find out what's wrong with the server certificate. Extract the server certificate from the data stream sent by the server and write it to a file. Use Openssl to decode it and try to verify it with the CA certificate in your PKCS #12 file.