# [Solved] OpenVPN not working in Linux, but in Windows

## Qcumber-some

  :Evil or Very Mad:  Edit2:

The "provider" indeed regenerated the server/CA certificate without sending out new ones to the clients.

Unfortunately, OpenVPN does not include any details of the certificate in the error message (only the subject), so if the subject hasn't changed, in the error it looks like it is looking for the certificate you already have, but it is looking for a different certificate with the same subject.

Got a new .p12 file and it is working now, thanks!

Edit: Sorry people,

I just came around trying the very same again in Windows, and guess what: it doesn't work anymore. I just have to believe the "provider" tinkered again on the server/CA certificates after issuing the client certificates. So, I guess that's kind of "invalid", but not "solved" for now, but many thanks to anyone who read this and wasted their mind power.

Can you tell I am pretty pissed?

Here goes the original text:

Hi there,

hope you can shed some light on an issue I have.

My current Gentoo won't connect to an OpenVPN server. The log shows:

```

Mar  3 20:10:17 xxx openvpn[1879]: TLS: Initial packet from [AF_INET]ip:port, sid=xxx xxx

Mar  3 20:10:17 xxx openvpn[1879]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: follows the CA certificate data

Mar  3 20:10:17 xxx openvpn[1879]: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed

Mar  3 20:10:17 xxx openvpn[1879]: TLS_ERROR: BIO read tls_read_plaintext error

Mar  3 20:10:17 xxx openvpn[1879]: TLS Error: TLS object -> incoming plaintext read error

Mar  3 20:10:17 xxx openvpn[1879]: TLS Error: TLS handshake failed

Mar  3 20:10:17 xxx openvpn[1879]: TCP/UDP: Closing socket

```

I have read lots and lots of search results from search engines, and it is apparently not one of the easier to spot issues. Following are some more details:

openvpn.conf:

```

tls-client

client

dev tun

proto udp

tun-mtu 1400

remote xxx xxx

pkcs12 xxx.p12

cipher BF-CBC

verb 4

ns-cert-type server

askpass

```

Some more things to know:

* It DOES work in Win7 with this openvpn.conf (as client.ovpn, without the askpass) with OpenVPN 2.3.18.

* The server is not controlled by me, but by a "provider" I can not really ask for Linux support or even for a logfile.

* It also does not work in Ubuntu 16.04 (OpenVPN 2.3.10 and OpenSSL 1.0.2g) or 17.10 (OpenVPN 2.4.x and OpenSSL 1.0.2g) - same error message.

* My Gentoo box has OpenVPN net-vpn/openvpn-2.4.4 and dev-libs/openssl-1.0.2n .

* I have tried using the openvpn service as well as openvpn --config client.ovpn.

* I already tried separating the p12 file to ca.crt, client.key and client.crt, resulting in the same error message.

* I also tried to install the ca.crt in /etc/ssl/certs and using capath parameter, resulting in the same error message (both with the .p12 and separated).

* The "server" is rumored to be an IPCop instance and installed not long ago (so probably quite fresh).

* The .p12 file contains cert, ca-cert and key (protected) as expected.

I expect the problem to be some fundamental difference between the Windows build of OpenVPN and the Linux builds in general, but I can not find anything. Surely somebody must have tried the same?

If you know anything to try, please help  :Smile: 

Thank you very much!Last edited by Qcumber-some on Tue Mar 06, 2018 8:31 am; edited 1 time in total

----------

## mike155

Cryptography is difficult. The most difficult part is not the maths, but the stupid and misleading error messages you get from programs and libraries if something doesn't work.

I guess OpenVPN wants to tell you: I was able to establish a connection to the server and the server sent me its server certificate. I tried to verify the server certificate using the CA certificate - and that failed. I won't tell you the reason why it failed, because that would make it too easy for you to fix the problem. Instead, I will give you some stupid messages...

What you can do is: try to find out what's wrong with the server certificate. Extract the server certificate from the data stream sent by the server and write it to a file. Use Openssl to decode it and try to verify it with the CA certificate in your PKCS #12 file.

----------

