OpenVPN certificate verify error in Red Hat Enterprise Linux 7

Solution Verified - Updated -

Issue

  • A user has a problem with setting up an openvpn connection with a MD5 signed certificate. I already tried to add the following line to /usr/lib/systemd/system/NetworkManager.service: Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5" but this does not solve the error, also not after a reboot.
  • The following errors are reported when trying to establish openvpn connection:
Mon Jan 16 15:59:49 2017 us=187582 Data Channel MTU parms [ L:1576 D:1450 EF:44 EB:143 ET:32 EL:3 AF:3/1 ]
Mon Jan 16 15:59:49 2017 us=187635 Local Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Mon Jan 16 15:59:49 2017 us=187646 Expected Remote Options String: 'V4,dev-type tap,link-mtu 1576,tun-mtu 1532,proto TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Mon Jan 16 15:59:49 2017 us=187662 Local Options hash (VER=V4): '34fdf001'
Mon Jan 16 15:59:49 2017 us=187675 Expected Remote Options hash (VER=V4): '3e7d1066'
Mon Jan 16 15:59:49 2017 us=187689 Attempting to establish TCP connection with [AF_INET]10.10.10.20:80 [nonblock]
Mon Jan 16 15:59:50 2017 us=187841 TCP connection established with [AF_INET]10.10.10.20:80
Mon Jan 16 15:59:50 2017 us=187910 TCPv4_CLIENT link local: [undef]
Mon Jan 16 15:59:50 2017 us=187921 TCPv4_CLIENT link remote: [AF_INET]10.10.10.20:80
Mon Jan 16 15:59:50 2017 us=224005 TLS: Initial packet from [AF_INET]10.10.10.20:80, sid=dc51c6f6 c3be5add
Mon Jan 16 15:59:50 2017 us=837302 VERIFY OK: depth=4, CN=Example Root CA, O=Example, OU=Foo Bar, C=US, ST=New York, L=New York
Mon Jan 16 15:59:50 2017 us=837385 VERIFY ERROR: depth=3, error=certificate signature failure: CN=Example Root CA, O=Example, OU=Foo Bar
Mon Jan 16 15:59:50 2017 us=837435 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Jan 16 15:59:50 2017 us=837448 TLS_ERROR: BIO read tls_read_plaintext error
Mon Jan 16 15:59:50 2017 us=837456 TLS Error: TLS object -> incoming plaintext read error
Mon Jan 16 15:59:50 2017 us=837461 TLS Error: TLS handshake failed
Mon Jan 16 15:59:50 2017 us=837500 Fatal TLS error (check_tls_errors_co), restarting
Mon Jan 16 15:59:50 2017 us=837522 TCP/UDP: Closing socket
Mon Jan 16 15:59:50 2017 us=837580 SIGUSR1[soft,tls-error] received, process restarting
Mon Jan 16 15:59:50 2017 us=837613 Restart pause, 5 second(s)

Environment

  • Red Hat Enterprise Linux 7
  • OpenVPN

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content