Answer the question
In order to leave comments, you need to log in
K
K
Konstantin Dolgov2020-05-21 03:19:38
Konstantin Dolgov, 2020-05-21 03:19:38
OpenVPN does not work with self-generated OpenSSL certificates. How to fix?
I decided to set up OpenVPN to access my home LAN. OpenVPN server configured according to this instruction. With EasyRSA, setup went smoothly.
However, I decided to make a separate CA according to these instructions and generated server and client certificates.
This is where the problem arose.
I'm trying to connect through a client on Windows 7. The client highlights an error in red:
VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=RU, ST=Moscow, O=***, OU=***, CN=intermediate1, emailAddress=***
Thu May 21 02:29:10 2020 us=833862 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Thu May 21 02:29:10 2020 us=833862 TLS_ERROR: BIO read tls_read_plaintext error
Thu May 21 02:29:10 2020 us=833862 TLS Error: TLS object -> incoming plaintext read error
Thu May 21 02:29:10 2020 us=833862 TLS Error: TLS handshake failed
Thu May 21 02:29:10 2020 us=833862 Fatal TLS error (check_tls_errors_co), restartingPlease explain what am I doing wrong? And how to fix it?
OpenVPN server hardware: Raspberry Pi 3b.
OpenSSL CA hardware: Raspberry Pi Zero.
2 answer(s)
@knstantin
You may have generated a server certificate signed by one CA key, and a client certificate by another CA.
You may not have attached a new CA certificate for the server, etc.
In general, the CA certificate must be the same for the server and the client, the server and client keys must be signed by the same CA. The paths in the server and client configs must point to the correct certificates.
easyrsa is just a lightweight wrapper around openssl, so the gist is the same. Both options should work.
easyrsa uses its own config file for openssl, maybe there are some differences from what you used in the second option, compare them.
You can also compare the openssl commands used.
@SignFinder
R
res2001, 2020-05-21 @knstantin
VERIFY ERROR
unable to get issuer certificate
You may have generated a server certificate signed by one CA key, and a client certificate by another CA.
You may not have attached a new CA certificate for the server, etc.
In general, the CA certificate must be the same for the server and the client, the server and client keys must be signed by the same CA. The paths in the server and client configs must point to the correct certificates.
easyrsa is just a lightweight wrapper around openssl, so the gist is the same. Both options should work.
easyrsa uses its own config file for openssl, maybe there are some differences from what you used in the second option, compare them.
You can also compare the openssl commands used.
A
Alexey Dmitriev, 2020-05-21 @SignFinder
Your CA certificate must be in the Trusted Root Certification Authorities on the client machine.
Similar questions
S
D
M
M
M
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question