OpenVPN OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

[bryn1u]

Hey guys,
I can't establish connection with server. Im getting errors like below:

bryn1u@bryn1u:~/vpn$ openvpn --config client.conf
Sun Dec  3 17:16:15 2017 OpenVPN 2.4.3 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul  3 2017
Sun Dec  3 17:16:15 2017 library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
Sun Dec  3 17:16:15 2017 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec  3 17:16:15 2017 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Sun Dec  3 17:16:15 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]91.121.78.120:1194
Sun Dec  3 17:16:15 2017 Socket Buffers: R=[212992->212992] S=[212992->212992]
Sun Dec  3 17:16:15 2017 UDP link local: (not bound)
Sun Dec  3 17:16:15 2017 UDP link remote: [AF_INET]91.121.78.120:1194
Sun Dec  3 17:16:15 2017 TLS: Initial packet from [AF_INET]91.121.78.120:1194, sid=9ae6a98e ea3d391e
Sun Dec  3 17:16:15 2017 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=PL, ST=Protonowo, L=Proton, O=proton.edu.pl, OU=Proton, CN=Proton, name=Proton, emailAddress=bryn1u@protonmail.ch
Sun Dec  3 17:16:15 2017 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Sun Dec  3 17:16:15 2017 TLS_ERROR: BIO read tls_read_plaintext error
Sun Dec  3 17:16:15 2017 TLS Error: TLS object -> incoming plaintext read error
Sun Dec  3 17:16:15 2017 TLS Error: TLS handshake failed
Sun Dec  3 17:16:15 2017 SIGUSR1[soft,tls-error] received, process restarting
Sun Dec  3 17:16:15 2017 Restart pause, 5 second(s)
^CSun Dec  3 17:16:16 2017 SIGINT[hard,init_instance] received, process exiting

openvpn server config

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key 

dh dh4096.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt

duplicate-cn
keepalive 10 120
tls-auth ta.key 0

cipher AES-256-CBC

persist-key
persist-tun

log         openvpn.log
log-append  openvpn.log

verb 3
mute 20

explicit-exit-notify 1

Client config:

bryn1u@bryn1u:~/vpn$ ls
bryn1u.crt  bryn1u.csr  bryn1u.key  ca.crt  client.conf  ta.key

client.config

dev tun
proto udp
remote 91.121.78.120 1194

resolv-retry infinite
nobind

persist-key
persist-tun

ca ca.crt
cert bryn1u.crt
key bryn1u.key


remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC

verb 3

mute 20

I don't see any issues in file configs. Someone can help ?
Thank you,

 

[aragats]

I would suggest using full path for the certificates and keys.
Are your paths relative to /usr/local/etc/openvpn?

 

[scottro]

Is there any chance the server is still using md5? At one point, being slow to update, I had to do things like

OPENSSL_ENABLE_MD5_VERIFY=1 openvpn <config_file>

I only mention this because I have a VERY vague memory of the error being almost the same (and not mentioning md5 in the error message. Probably a waste of your time, in which case, I apologize.

 

[SirDice]

It looks to be a self-signed certificate, which means the client needs to have access to the self-signed CA certificate or else it won't be able to verify the server's certificate.