Hi Erich, On 08/04/14 15:56, Erich Titl wrote: > Hi folks > > After a long absence from OpenVPN I am running into the self signed > certificate error all of a sudden. > > Tue Apr 08 14:47:53 2014 UDPv4 link local: [undef] > Tue Apr 08 14:47:53 2014 UDPv4 link remote: 212.41.199.16:1194 > Tue Apr 08 14:47:53 2014 TLS: Initial packet from 212.41.199.16:1194, > sid=dbc1ed8a 60de5e5e > Tue Apr 08 14:47:58 2014 VERIFY ERROR: depth=1, error=self signed > certificate in certificate chain: > /C=CH/L=Aarau/O=KKG_Aarau/CN=KKG_Aarau_OpenVPN_CA > Tue Apr 08 14:47:58 2014 TLS_ERROR: BIO read tls_read_plaintext error: > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed > > Of course there is a self signed certificate in the chain, there must > be. There is always a root which is not signed by anyone else. > > OK I never ran into this before and all the good ideas on the net are > 'recreate the certificate'. This is not an option as it might make the > error disappear, I still don't know why it is there at all and that > needs explaining. > > Another Solution on the net is typically.... upgrade to a recent > release. Well I believe in software decay but at that level... so not an > optoion either. > > Anyone found a _real_ reason for this error? > openvpn (and openssl) will trust a self-signed certificate if it is used as a trusted CA cert; this is what the "ca ...." option is used for. Which machine is reporting the error? the client or the server? is the right CA cert installed on that machine? do you use intermediate CAs (in which case you need to use certificate chains) ?
You can also mail me the entire public certificate chain and I can check if there's something wrong with it. Finally, the version of openvpn and esp openssl used DOES matter - so can you post which versions of openvpn and openssl you are using (and we'll both ignore the replies from people saying that openvpn 2.0.9 is no longer supported bla blah ;)) HTH, JJK ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
