Problems
- On CentOS 7, OpenVPN failes to make a connection to VPN.
- OpenVPN conf used to work on CentIS 6.5
Errors
Sat Aug 30 10:52:03 2014 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 14 2014 Sat Aug 30 10:52:06 2014 VERIFY OK: depth=1, C=XX, ST=XX, L=MYTOWN, O=OpenVPN-Myprovider, CN=vpn.server.com, emailAddress=admin@vpn.server.com Sat Aug 30 10:52:06 2014 VERIFY ERROR: depth=0, error=certificate signature failure: C=XX, ST=MYTOWN, O=OpenVPN-Myprovider, CN=vpn.server.com, emailAddress=admin@vpn.server.com Sat Aug 30 10:52:06 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Sat Aug 30 10:52:06 2014 TLS Error: TLS object -> incoming plaintext read error Sat Aug 30 10:52:06 2014 TLS Error: TLS handshake failed Sat Aug 30 10:52:06 2014 SIGUSR1[soft,tls-error] received, process restarting
Why this happened?
The certificate used for OpenVPN is encrypted with MD5 and SHA1, but CentOS 7 doesn’t support it as default.
How to resolve this problem?
There are two possible solution,
- Generate a certificate without using MD5
- Enable MD5 support on CentOS 7
How to enable MD5 support on CentOS 7?
- Temporally enable it.
export NSS_HASH_ALG_SUPPORT=+MD5 export OPENSSL_ENABLE_MD5_VERIFY=1
- Enable MD5 support through NetworkManager
$ sudo vim /usr/lib/systemd/system/NetworkManager.service
Append this.
[Service] Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5"
And restart daemon
$ sudo systemctl daemon-reload $ sudo systemctl restart NetworkManager.service
References
- https://www.centos.org/forums/viewtopic.php?f=50&t=47210
- https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6
Pingback: How to solve OpenVPN errors after upgrading OpenSSL | Velenux Home Page