We are running an external certificate that was acquired through RapidSSL
It appears that the wrong certs are being present when you click "export configuration" within VPN Server. Before it would be a self signed certificate even when using an external certificate (RapidSSL in our case).
Here is the error:
Code: Select all
Tue Apr 22 11:11:44 2014 OpenVPN 2.3.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [eurephia] [IPv6] built on Jan 8 2013
Enter Management Password:
Tue Apr 22 11:11:53 2014 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Tue Apr 22 11:11:53 2014 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Tue Apr 22 11:11:53 2014 UDPv4 link local (bound): [undef]
Tue Apr 22 11:11:53 2014 UDPv4 link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Tue Apr 22 11:11:54 2014 VERIFY ERROR: depth=2, error=unable to get local issuer certificate: C=US, O=GeoTrust Inc., CN=GeoTrust Global CA
Tue Apr 22 11:11:54 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Tue Apr 22 11:11:54 2014 TLS Error: TLS object -> incoming plaintext read error
Tue Apr 22 11:11:54 2014 TLS Error: TLS handshake failed
Tue Apr 22 11:11:54 2014 SIGUSR1[soft,tls-error] received, process restarting
Tue Apr 22 11:12:02 2014 ERROR: could not read Auth username/password/ok/string from management interface
Tue Apr 22 11:12:02 2014 Exiting due to fatal error
We were able to figure out a work around and reproduce the problem by doing the following:
-When installing or attempting to connect to the VPN server when using an external certificate we got the error and were unable to connect.
-Uninstalled VPN Server
-Setup a self signed certificate
-Installed VPN Server
-Exported configuration and distributed it out to the clients and it worked fine.
then to reproduce the problem:
-uninstalled VPN Server
-imported the external certificate from RapidSSL
-installed VPN Server
-exported configuration/certificates to all the devices
-was unable to connect again with the error shown in the client log file.
We are currently running a self signed certificate and have access to the vpn server but this is not acceptable because we connect from secure locations that do not allow access to services which use a self signed certificate.
We have submitted a ticket but wanted to share the work around for others if they are effected.