OpenVPN error "Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication"

    • OpenVPN error "Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication"

      Hi everybody,

      I had OpenVPN working under OMV3 perfectly for quite a long time. After the upgrade to OMV4, I reinstalled the plugin and created new a new certificate for my client using the GUI. If I now try to connect the client, I get the error mentioned above:
      Display Spoiler

      Wed Jun 06 20:36:31 2018 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
      Wed Jun 06 20:36:31 2018 Windows version 6.2 (Windows 8 or greater) 64bit
      Wed Jun 06 20:36:31 2018 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
      Wed Jun 06 20:36:31 2018 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
      Wed Jun 06 20:36:31 2018 Need hold release from management interface, waiting...
      Wed Jun 06 20:36:31 2018 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
      Wed Jun 06 20:36:31 2018 MANAGEMENT: CMD 'state on'
      Wed Jun 06 20:36:31 2018 MANAGEMENT: CMD 'log all on'
      Wed Jun 06 20:36:31 2018 MANAGEMENT: CMD 'echo all on'
      Wed Jun 06 20:36:31 2018 MANAGEMENT: CMD 'bytecount 5'
      Wed Jun 06 20:36:31 2018 MANAGEMENT: CMD 'hold off'
      Wed Jun 06 20:36:31 2018 MANAGEMENT: CMD 'hold release'
      Wed Jun 06 20:36:31 2018 MANAGEMENT: >STATE:***,RESOLVE,,,,,,
      Wed Jun 06 20:36:31 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]***.***.***.***:1194
      Wed Jun 06 20:36:31 2018 Socket Buffers: R=[65536->65536] S=[65536->65536]
      Wed Jun 06 20:36:31 2018 UDP link local: (not bound)
      Wed Jun 06 20:36:31 2018 UDP link remote: [AF_INET]***.***.***.***:1194
      Wed Jun 06 20:36:31 2018 MANAGEMENT: >STATE:***,WAIT,,,,,,
      Wed Jun 06 20:36:31 2018 MANAGEMENT: >STATE:***,AUTH,,,,,,
      Wed Jun 06 20:36:31 2018 TLS: Initial packet from [AF_INET]***.***.***.***:1194, sid=***
      Wed Jun 06 20:36:31 2018 VERIFY OK: depth=1, CN=ChangeMe
      Wed Jun 06 20:36:31 2018 VERIFY KU OK
      Wed Jun 06 20:36:31 2018 Validating certificate extended key usage
      Wed Jun 06 20:36:31 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication
      Wed Jun 06 20:36:31 2018 VERIFY EKU OK
      Wed Jun 06 20:36:31 2018 VERIFY OK: depth=0, CN=NAS


      What can I do?

      Best,
      Aiakos
    • Do all the configuration you need through openmediavault webinterface.

      After you are finished login with ssh and edit /etc/openvpn/server.conf and add the following to the end of the file:

      Source Code

      1. remote-cert-eku "TLS Web Server Authentication"
      Save and close. Restart openvpn server with:


      Shell-Script

      1. systemctl restart openvpn
      Should work until you do changes in openmediavault webinterface which removes those lines.
    • Hi Chone,

      in the meantime - without having changed anything - I get this new error:

      Source Code

      1. Tue Jun 12 19:44:58 2018 VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=***
      2. Tue Jun 12 19:44:58 2018 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
      3. Tue Jun 12 19:44:58 2018 TLS_ERROR: BIO read tls_read_plaintext error
      4. Tue Jun 12 19:44:58 2018 TLS Error: TLS object -> incoming plaintext read error
      5. Tue Jun 12 19:44:58 2018 TLS Error: TLS handshake failed
      What does this mean?
    • Had the same problem then I found this error in /var/log/openvpn.log

      Source Code

      1. Wed Jul 18 11:46:23 2018 MYIP:46585 CRL: cannot read: /etc/openvpn/pki/crl.pem
      2. Wed Jul 18 11:46:23 2018 MYIP:46585 VERIFY ERROR: CRL not loaded

      so I did this in SSH and it works now.

      Shell-Script

      1. chown nobody:nogroup /etc/openvpn/pki/crl.pem