OpenVPN error "Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication"

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • OpenVPN error "Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication"

      Hi everybody,

      I had OpenVPN working under OMV3 perfectly for quite a long time. After the upgrade to OMV4, I reinstalled the plugin and created new a new certificate for my client using the GUI. If I now try to connect the client, I get the error mentioned above:
      Display Spoiler

      Wed Jun 06 20:36:31 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
      Wed Jun 06 20:36:31 2018 Windows version 6.2 (Windows 8 or greater) 64bit
      Wed Jun 06 20:36:31 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
      Wed Jun 06 20:36:31 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
      Wed Jun 06 20:36:31 2018 Need hold release from management interface, waiting...
      Wed Jun 06 20:36:31 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
      Wed Jun 06 20:36:31 2018 MANAGEMENT: CMD 'state on'
      Wed Jun 06 20:36:31 2018 MANAGEMENT: CMD 'log all on'
      Wed Jun 06 20:36:31 2018 MANAGEMENT: CMD 'echo all on'
      Wed Jun 06 20:36:31 2018 MANAGEMENT: CMD 'bytecount 5'
      Wed Jun 06 20:36:31 2018 MANAGEMENT: CMD 'hold off'
      Wed Jun 06 20:36:31 2018 MANAGEMENT: CMD 'hold release'
      Wed Jun 06 20:36:31 2018 MANAGEMENT: >STATE:***,RESOLVE,,,,,,
      Wed Jun 06 20:36:31 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]***.***.***.***:1194
      Wed Jun 06 20:36:31 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
      Wed Jun 06 20:36:31 2018 UDP link local: (not bound)
      Wed Jun 06 20:36:31 2018 UDP link remote: [AF_INET]***.***.***.***:1194
      Wed Jun 06 20:36:31 2018 MANAGEMENT: >STATE:***,WAIT,,,,,,
      Wed Jun 06 20:36:31 2018 MANAGEMENT: >STATE:***,AUTH,,,,,,
      Wed Jun 06 20:36:31 2018 TLS: Initial packet from [AF_INET]***.***.***.***:1194, sid=***
      Wed Jun 06 20:36:31 2018 VERIFY OK: depth=1, CN=ChangeMe
      Wed Jun 06 20:36:31 2018 VERIFY KU OK
      Wed Jun 06 20:36:31 2018 Validating certificate extended key usage
      Wed Jun 06 20:36:31 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
      Wed Jun 06 20:36:31 2018 VERIFY EKU OK
      Wed Jun 06 20:36:31 2018 VERIFY OK: depth=0, CN=NAS


      What can I do?

      Best,
      Aiakos
    • Do all the configuration you need through openmediavault webinterface.

      After you are finished login with ssh and edit /etc/openvpn/server.conf and add the following to the end of the file:

      Source Code

      1. remote-cert-eku "TLS Web Server Authentication"
      Save and close. Restart openvpn server with:


      Shell-Script

      1. systemctl restart openvpn
      Should work until you do changes in openmediavault webinterface which removes those lines.
    • Hi Chone,

      in the meantime - without having changed anything - I get this new error:

      Source Code

      1. Tue Jun 12 19:44:58 2018 VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=***
      2. Tue Jun 12 19:44:58 2018 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
      3. Tue Jun 12 19:44:58 2018 TLS_ERROR: BIO read tls_read_plaintext error
      4. Tue Jun 12 19:44:58 2018 TLS Error: TLS object -> incoming plaintext read error
      5. Tue Jun 12 19:44:58 2018 TLS Error: TLS handshake failed
      What does this mean?
    • Had the same problem then I found this error in /var/log/openvpn.log

      Source Code

      1. Wed Jul 18 11:46:23 2018 MYIP:46585 CRL: cannot read: /etc/openvpn/pki/crl.pem
      2. Wed Jul 18 11:46:23 2018 MYIP:46585 VERIFY ERROR: CRL not loaded

      so I did this in SSH and it works now.

      Shell-Script

      1. chown nobody:nogroup /etc/openvpn/pki/crl.pem
    • Users Online 2

      2 Guests