LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   OpenVPN certificates failing error (https://www.linuxquestions.org/questions/linux-server-73/openvpn-certificates-failing-error-848846/)

worm5252 12-07-2010 07:50 AM
OpenVPN certificates failing error
 
Hey guys,
I am trying to setup an OpenVPN server using CentOS 5. I ahve installed everything, configs are good, server starts fine. I have generated my certificates using the easy-rsa 2.0 included with OpenVPN. I have downloaded all the certificates to my machine and setup my client to connect. I am having that typical problem everyone seems to have where my client says certificate verify failed. However I can use openssl on the server to verify and it is ok. What am I doing wrong here?

Code:
[root@GSFOVPNxxx01 openvpn]# openssl verify -CAfile ca.crt gg-jbloomer.crt
gg-jbloomer.crt: OK
[root@GSFOVPNxxx01 openvpn]#
client output
Code:
2010-12-07 08:44:33 MANAGEMENT: CMD 'hold release'
2010-12-07 08:44:33 SUCCESS: hold release succeeded
2010-12-07 08:44:33 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2010-12-07 08:44:33 Re-using SSL/TLS context
2010-12-07 08:44:33 LZO compression initialized
2010-12-07 08:44:33 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
2010-12-07 08:44:33 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
2010-12-07 08:44:33 Local Options hash (VER=V4): '41690919'
2010-12-07 08:44:33 Expected Remote Options hash (VER=V4): '530fdded'
2010-12-07 08:44:33 Socket Buffers: R=[42080->65536] S=[9216->65536]
2010-12-07 08:44:33 UDPv4 link local: [undef]
2010-12-07 08:44:33 UDPv4 link remote: 208.113.68.6:1194
2010-12-07 08:44:33
2010-12-07 08:44:33
2010-12-07 08:44:33  sid=56d529ca 9fa214c4
2010-12-07 08:44:33  error=certificate is not yet valid: /C=US/ST=GA/L=Atlanta/O=StarPound_Technologies/OU=IT/CN=StarPound_Technologies_CA/emailAddress=**MAKSED EMAIL TO PREVENT BOTS FROM GETTING IT**
2010-12-07 08:44:33 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
2010-12-07 08:44:33 TLS Error: TLS object -> incoming plaintext read error
2010-12-07 08:44:33 TLS Error: TLS handshake failed
2010-12-07 08:44:33 TCP/UDP: Closing socket
2010-12-07 08:44:33  process restarting
2010-12-07 08:44:33
I just dont get it, I have racked my brain and google until my eyes bleed and can not figure this one out. I am sure it is something simple that I am missing. Can anyone help?

szboardstretcher 12-07-2010 07:53 AM
The certificates are not valid "Yet"

So, check your times on your certs. As well as your timezone, offset, etc...

Sync times on machines as well.

worm5252 12-07-2010 08:12 AM
I found my time was off on my server but I adjusted it (ntpdate and timezone adjustment). I set crontob to do a time sync every 30 minutes. Now times match and I am still getting verification failed.

szboardstretcher 12-07-2010 08:14 AM
Quote:
Originally Posted by worm5252 (Post 4183482)
I found my time was off on my server but I adjusted it (ntpdate and timezone adjustment). I set crontob to do a time sync every 30 minutes. Now times match and I am still getting verification failed.
But -- when you created the certificates -- was the time off? Were they created correctly? With the correct timezone and all? Is there a valid date/time range on them that is some time in the future?

worm5252 12-07-2010 08:16 AM
Ironically, it connected this last time. Thanks for your help.


All times are GMT -5. The time now is 05:52 PM.