Hi Erich, On 08/04/14 18:03, Erich Titl wrote: > Hi JJK > > at 08.04.2014 15:09, Jan Just Keijser wrote: >> Hi Erich, >> > > For simplicity I upgraded the client to 2.3.2 and I am seeing the same > error. > > Tue Apr 08 16:58:09 2014 OpenVPN 2.3.2 i686-w64-mingw32 [SSL > (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Aug 22 2013 > Enter Management Password: > Tue Apr 08 16:58:09 2014 MANAGEMENT: TCP Socket listening on > [AF_INET]127.0.0.1:25341 > Tue Apr 08 16:58:09 2014 Need hold release from management interface, > waiting... > Tue Apr 08 16:58:09 2014 MANAGEMENT: Client connected from > [AF_INET]127.0.0.1:25341 > Tue Apr 08 16:58:09 2014 MANAGEMENT: CMD 'state on' > Tue Apr 08 16:58:09 2014 MANAGEMENT: CMD 'log all on' > Tue Apr 08 16:58:09 2014 MANAGEMENT: CMD 'hold off' > Tue Apr 08 16:58:09 2014 MANAGEMENT: CMD 'hold release' > Tue Apr 08 16:58:13 2014 MANAGEMENT: CMD 'password [...]' > Tue Apr 08 16:58:13 2014 WARNING: this configuration may cache > passwords in memory -- use the auth-nocache option to prevent this > Tue Apr 08 16:58:13 2014 Socket Buffers: R=[8192->8192] S=[8192->8192] > Tue Apr 08 16:58:13 2014 UDPv4 link local: [undef] > Tue Apr 08 16:58:13 2014 UDPv4 link remote: [AF_INET]212.41.199.16:1194 > Tue Apr 08 16:58:13 2014 MANAGEMENT: >STATE:1396972693,WAIT,,, > Tue Apr 08 16:58:13 2014 MANAGEMENT: >STATE:1396972693,AUTH,,, > Tue Apr 08 16:58:13 2014 TLS: Initial packet from > [AF_INET]212.41.199.16:1194, sid=5aa2468d c6702727 > Tue Apr 08 16:58:17 2014 VERIFY ERROR: depth=1, error=self signed > certificate in certificate chain: /C=CH/L=Aarau/O=KKG Aarau/CN=KKG > Aarau OpenVPN CA > Tue Apr 08 16:58:17 2014 TLS_ERROR: BIO read tls_read_plaintext error: > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed > Tue Apr 08 16:58:17 2014 TLS Error: TLS object -> incoming plaintext > read error > Tue Apr 08 16:58:17 2014 TLS Error: TLS handshake failed > Tue Apr 08 16:58:17 2014 SIGUSR1[soft,tls-error] received, process > restarting > Tue Apr 08 16:58:17 2014 MANAGEMENT: > >STATE:1396972697,RECONNECTING,tls-error,, > Tue Apr 08 16:58:17 2014 Restart pause, 2 second(s) > Tue Apr 08 16:58:19 2014 Socket Buffers: R=[8192->8192] S=[8192->8192] > Tue Apr 08 16:58:19 2014 UDPv4 link local: [undef] > Tue Apr 08 16:58:19 2014 UDPv4 link remote: [AF_INET]212.41.199.16:1194 > Tue Apr 08 16:58:19 2014 MANAGEMENT: >STATE:1396972699,WAIT,,, > Tue Apr 08 16:58:20 2014 MANAGEMENT: >STATE:1396972700,AUTH,,, > Tue Apr 08 16:58:20 2014 TLS: Initial packet from > [AF_INET]212.41.199.16:1194, sid=40e377b6 11418edf > Tue Apr 08 16:58:26 2014 VERIFY ERROR: depth=1, error=self signed > certificate in certificate chain: /C=CH/L=Aarau/O=KKG Aarau/CN=KKG > Aarau OpenVPN CA > Tue Apr 08 16:58:26 2014 TLS_ERROR: BIO read tls_read_plaintext error: > error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate > verify failed > Tue Apr 08 16:58:26 2014 TLS Error: TLS object -> incoming plaintext > read error > Tue Apr 08 16:58:26 2014 TLS Error: TLS handshake failed > Tue Apr 08 16:58:27 2014 SIGUSR1[soft,tls-error] received, process > restarting > Tue Apr 08 16:58:27 2014 MANAGEMENT: > >STATE:1396972707,RECONNECTING,tls-error,, > Tue Apr 08 16:58:27 2014 Restart pause, 2 second(s) > Tue Apr 08 16:58:29 2014 Socket Buffers: R=[8192->8192] S=[8192->8192] > Tue Apr 08 16:58:29 2014 UDPv4 link local: [undef] > Tue Apr 08 16:58:29 2014 UDPv4 link remote: [AF_INET]212.41.199.16:1194 > Tue Apr 08 16:58:29 2014 MANAGEMENT: >STATE:1396972709,WAIT,,, > Tue Apr 08 16:58:29 2014 MANAGEMENT: >STATE:1396972709,AUTH,,, > Tue Apr 08 16:58:29 2014 TLS: Initial packet from > [AF_INET]212.41.199.16:1194, sid=642af490 1d818b4e > Tue Apr 08 16:58:31 2014 SIGTERM[hard,] received, process exiting > Tue Apr 08 16:58:31 2014 MANAGEMENT: >STATE:1396972711,EXITING,SIGTERM,, > > I can send you the certificates in use please do, and include the server cert as well. The client seems to reject the server supplied certificate. do the CA certs on both client and server match? The client needs to know the CA cert that the server cert was signed with ; it does not actually need the CA cert that the client-side cert was signed with.
cheers, JJK ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
