Problems

• On CentOS 7, OpenVPN failes to make a connection to VPN.
• OpenVPN conf used to work on CentIS 6.5

Errors

Sat Aug 30 10:52:03 2014 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 14 2014
Sat Aug 30 10:52:06 2014 VERIFY OK: depth=1, C=XX, ST=XX, L=MYTOWN, O=OpenVPN-Myprovider, CN=vpn.server.com, emailAddress=admin@vpn.server.com
Sat Aug 30 10:52:06 2014 VERIFY ERROR: depth=0, error=certificate signature failure: C=XX, ST=MYTOWN, O=OpenVPN-Myprovider, CN=vpn.server.com, emailAddress=admin@vpn.server.com
Sat Aug 30 10:52:06 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Aug 30 10:52:06 2014 TLS Error: TLS object -> incoming plaintext read error
Sat Aug 30 10:52:06 2014 TLS Error: TLS handshake failed
Sat Aug 30 10:52:06 2014 SIGUSR1[soft,tls-error] received, process restarting

Why this happened?

The certificate used for OpenVPN is encrypted with MD5 and SHA1, but CentOS 7 doesn’t support it as default.

How to resolve this problem?

There are two possible solution,

1. Generate a certificate without using MD5
2. Enable MD5 support on CentOS 7

How to enable MD5 support on CentOS 7?

• Temporally enable it.

export NSS_HASH_ALG_SUPPORT=+MD5
export OPENSSL_ENABLE_MD5_VERIFY=1

•  Enable MD5 support through NetworkManager

$ sudo vim /usr/lib/systemd/system/NetworkManager.service

Append this.

[Service]
Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5"

And restart daemon

$ sudo systemctl daemon-reload
$ sudo systemctl restart NetworkManager.service

References

• https://www.centos.org/forums/viewtopic.php?f=50&t=47210
• https://www.digitalocean.com/community/tutorials/how-to-setup-and-configure-an-openvpn-server-on-centos-6