[CentOS7:OpenVPN] VERIFY ERROR: depth=0, error=certificate signature failure
Problems
- On CentOS 7, OpenVPN failes to make a connection to VPN.
- OpenVPN conf used to work on CentIS 6.5
Errors
Sat Aug 30 10:52:03 2014 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 14 2014 Sat Aug 30 10:52:06 2014 VERIFY OK: depth=1, C=XX, ST=XX, L=MYTOWN, O=OpenVPN-Myprovider, CN=vpn.server.com, emailAddress=admin@vpn.server.com Sat Aug 30 10:52:06 2014 VERIFY ERROR: depth=0, error=certificate signature failure: C=XX, ST=MYTOWN, O=OpenVPN-Myprovider, CN=vpn.server.com, emailAddress=admin@vpn.server.com Sat Aug 30 10:52:06 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Sat Aug 30 10:52:06 2014 TLS Error: TLS object -> incoming plaintext read error Sat Aug 30 10:52:06 2014 TLS Error: TLS handshake failed Sat Aug 30 10:52:06 2014 SIGUSR1[soft,tls-error] received, process restarting |
Why this happened?
The certificate used for OpenVPN is encrypted with MD5 and SHA1, but CentOS 7 doesn’t support it as default.
How to resolve this problem?
There are two possible solution,
- Generate a certificate without using MD5
- Enable MD5 support on CentOS 7
How to enable MD5 support on CentOS 7?
- Temporally enable it.
export NSS_HASH_ALG_SUPPORT=+MD5 export OPENSSL_ENABLE_MD5_VERIFY=1 |
- Enable MD5 support through NetworkManager
$ sudo vim /usr/lib/systemd/system/NetworkManager.service |
Append this.
[Service] Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5" |
And restart daemon
$ sudo systemctl daemon-reload $ sudo systemctl restart NetworkManager.service |
Fuente original: https://www.centos.org/forums/viewtopic.php?t=47210
I too ran into this problem, but I was not running NetworkManager so I did it (very) slightly differently.
I edited /usr/lib/systemd/system/openvpn-client@.service and added the "Environment" line to the "[Service]" section.
This way, only OpenVPN has the extra environment variables set.
My thanks for working out how to do this and yes the OpenVPN setup is scheduled to be upgraded. Adding the CentOS 7 system is the first step in that process.
#vi /usr/lib/systemd/system/openvpn-client@.service
------------------------------------- ESTO ERA LO DE ANTES -------
It took me a while to figure out why OpenVPN trough NetworkManager was not working on CentOS 7 with old MD5 certificates but I found a solution.
in:
/usr/lib/systemd/system/NetworkManager.service
CODE: SELECT ALL
[Service]
Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5"
systemctl daemon-reload
systemctl restart NetworkManager.service
The relevant error messages were:
and on openssl verify -CAfile ca.pem cert.pem
Funcionó perfecto, Gracias!
ResponderEliminar