CLOSED: Problems with Certificates, I think.

beaker2382
Posts: 8
Joined: Tue Oct 03, 2017 5:26 pm

CLOSED: Problems with Certificates, I think.

Postby beaker2382 » Sun Oct 08, 2017 5:35 pm

Hello, I am a new user so I will try to make this as logical and concise as possible. I am having trouble connecting with OpenVPN. The error I see first in my client logs is
tls_process_server_certificate:certificate verify failed.
BIO read tls_read_plaintext error
I have left time stamps and error codes out for simplicity at this point, i have them if needed. My gut is telling me that the certs I downloaded from the OpenVPN client certificates wiki https://wiki.amahi.org/index.php/OpenVP ... rtificates don't match the ones that came installed on my server/installed with OpenVPN server app. I have no idea what I'm looking at when I view the certs tho, so I don't know what would look good and what would look bad.

Client and server time stamps are accurate to each other (~18seconds) and have proper timezone.

I ran a

Code: Select all

$ dnf update
with no changes.

Here is a

Code: Select all

$apaste --sysinfo
https://da.gd/8imEe

I have Amahi 10 installed, OpenVPN app installed on the server and the OpenVPN android app installed on my phone (the only client I've tested thus far). Server service is installed and running per amahi dashboard, also by viewing:

Code: Select all

$ sudo systemctl status openvpn@amahi
OpenVPN checker tool worked originally, but I've since changed the server listening port due to possible ISP firewalls, and since I wasn't connecting I tried a different port. Port has been forwarded through router's firewall. The connection log (per script above) on the server side shows that I made an attempt to connect a client, which says
TLS: Initial packet from [AF_INET]66.87.xxx.xxx:3640, sid=6fa8df63 5ea34133
TLS: new session incoming connection from [AF_INET]66.87.xxx.xxx:3640
TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, client-instance restarting
I would like to up the verbosity on this log, but I've forgotten how.

Also, I can use the Amahi anywhere android app from in and outside of my network, so I know that my server can be found from the internets.

I promise I've tried my damnedest and scoured the forums. Any help would be greatly appreciated and please keep things simple for me. Glad to provide any other info if needed!

Thanks everyone

edit: found the server connection log.

User avatar
bigfoot65
Project Manager
Posts: 11924
Joined: Mon May 25, 2009 4:31 pm

Re: Problems with Certificates, I think.

Postby bigfoot65 » Sun Oct 08, 2017 7:40 pm

My gut is telling me that the certs I downloaded from the OpenVPN client certificates wiki https://wiki.amahi.org/index.php/OpenVP ... rtificates don't match the ones that came installed on my server/installed with OpenVPN server app.
This should not be the case. The openvpn App certificates are synced/compatible with the ones from the wiki.

It's likely an issue with the setup of the client on your Android device.
OpenVPN checker tool worked originally, but I've since changed the server listening port due to possible ISP firewalls, and since I wasn't connecting I tried a different port.
Would be best if you put things back to the original state and diagnosed the issue from that point. Making changes as such only complicates the issue.

Ensure you have forwarded port 1194, UDP on your router. There are tools on the internet that help identify whether your ISP blocks ports. Check that first before making port changes.
ßîgƒσστ65
Applications Manager

My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 16GB RAM, 1TBx1+2TBx2+4TBx2

beaker2382
Posts: 8
Joined: Tue Oct 03, 2017 5:26 pm

Re: Problems with Certificates, I think.

Postby beaker2382 » Mon Oct 09, 2017 7:00 am

Hello again, and thank you for the prompt reply. You may be correct on the client-side config error. but first:

I changed the server listening port back to default 1194 UDP:

Code: Select all

$ nano /etc/openvpn/amahi.conf
Now the OpenVPN checker tool shows green bubble and says "install a client". I have, from my work computer and network, downloaded the windows HDAconnect tool and that has successfully connected.

So, that seems to leave me with a problem on my android OpenVPN client config, exactly as you suggested. Any ideas or should I go ask on an OpenVPN forum?

I know the .key file gets downloaded with .key.txt and I have taken the .txt off. I have chosen the .key and .crt files to load through an app called OIFile Manager. All other configurations set per https://wiki.amahi.org/index.php/VPNAndroid.

User avatar
bigfoot65
Project Manager
Posts: 11924
Joined: Mon May 25, 2009 4:31 pm

Re: Problems with Certificates, I think.

Postby bigfoot65 » Tue Oct 10, 2017 4:55 am

So, that seems to leave me with a problem on my android OpenVPN client config, exactly as you suggested. Any ideas or should I go ask on an OpenVPN forum?
Not sure where the issue might be with your setup. I don't use Android, so I cannot be of much help.

Double check that you have completed all steps in the wiki. Verify the file names are correct. You might try uninstalling the Android app, then reinstalling and starting again from scratch.
ßîgƒσστ65
Applications Manager

My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 16GB RAM, 1TBx1+2TBx2+4TBx2

beaker2382
Posts: 8
Joined: Tue Oct 03, 2017 5:26 pm

Re: Problems with Certificates, I think.

Postby beaker2382 » Tue Oct 10, 2017 6:33 am

I got it working!

I was tinkering around in the settings of the OpenVPN android client and I figured out how to make it work. I don't understand why it works, or more accurately, why this causes a conflict.

In the client configuration there is a page for "Authentication/Encryption" and in that page I have DE-selected "Certificate Hostname Check: Checks the remote server certificate subject DN". I would assume that one would want this check to make sure that you are pointing at the correct server, no? There is also a fill box that allows me to edit the expected "remote certificate subject". I have a feeling that this box, currently containing "rdn: xxx.yourhda.com", could be edited to whatever the server cert says, but I don't know what to look for in this regard. Do you have any ideas?

User avatar
bigfoot65
Project Manager
Posts: 11924
Joined: Mon May 25, 2009 4:31 pm

Re: Problems with Certificates, I think.

Postby bigfoot65 » Tue Oct 10, 2017 7:31 am

In the client configuration there is a page for "Authentication/Encryption" and in that page I have DE-selected "Certificate Hostname Check: Checks the remote server certificate subject DN". I would assume that one would want this check to make sure that you are pointing at the correct server, no?
Not sure if this setting matters. I don't recall it in the wiki guidance. Although the wiki guidance is dated and the app may have evolved since it was documented.
There is also a fill box that allows me to edit the expected "remote certificate subject". I have a feeling that this box, currently containing "rdn: xxx.yourhda.com", could be edited to whatever the server cert says, but I don't know what to look for in this regard. Do you have any ideas?
No idea. If it's working, recommend you leave this alone. Seems like you are changing more settings than documented in the wiki. If you have time, it would be helpful to others if you could update the wiki.

Since you stated you have it working, can we mark this one as closed now?
ßîgƒσστ65
Applications Manager

My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 16GB RAM, 1TBx1+2TBx2+4TBx2

beaker2382
Posts: 8
Joined: Tue Oct 03, 2017 5:26 pm

Re: Problems with Certificates, I think.

Postby beaker2382 » Tue Oct 10, 2017 8:06 am

yes, this can be closed.

I will try to figure out how to add to the wiki.

User avatar
bigfoot65
Project Manager
Posts: 11924
Joined: Mon May 25, 2009 4:31 pm

Re: Problems with Certificates, I think.

Postby bigfoot65 » Tue Oct 10, 2017 9:01 am

Thanks!

Just request an account and the reason you need it.

Then once approved, it's pretty easy to update the page.

Will mark this one as closed.
ßîgƒσστ65
Applications Manager

My HDA: Intel(R) Core(TM) i5-3570K CPU @ 3.40GHz on MSI board, 16GB RAM, 1TBx1+2TBx2+4TBx2

Who is online

Users browsing this forum: No registered users and 10 guests