SparkLabs Forum.

Community Help.


OpenVPN with Let's Encrypt certificate

While I am trying to connect to the server it disconnects midway stating that it cannot find the certificate of the Server. I am using a Let's Encrypt CA which issues certificate from an Intermediate CA. Is there a workaround or solution for this. My log file is as below

Nov 26 19:02:55: State changed to Connecting
Nov 26 19:02:55: Viscosity Windows 1.7.5 (1530)
Nov 26 19:02:55: Running on Microsoft Windows 10 Pro
Nov 26 19:02:55: Running on .NET Framework Version 4.7.02556.461308
Nov 26 19:02:55: Bringing up interface...
Nov 26 19:02:56: Checking reachability status of connection...
Nov 26 19:02:56: Connection is reachable. Starting connection attempt.
Nov 26 19:02:57: OpenVPN 2.4.4 Windows-MSVC [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 27 2017
Nov 26 19:02:57: library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.09
Nov 26 19:03:07: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 26 19:03:07: TCP/UDP: Preserving recently used remote address: [AF_INET]99.11.68.146:1194
Nov 26 19:03:07: UDP link local (bound): [AF_INET][undef]:0
Nov 26 19:03:07: UDP link remote: [AF_INET]99.11.68.146:1194
Nov 26 19:03:07: State changed to Authenticating
Nov 26 19:03:07: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Nov 26 19:03:08: VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Nov 26 19:03:08: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Nov 26 19:03:08: TLS_ERROR: BIO read tls_read_plaintext error

Nov 26 19:03:08: TLS Error: TLS object -> incoming plaintext read error
Nov 26 19:03:08: TLS Error: TLS handshake failed
Nov 26 19:03:08: SIGUSR1[soft,tls-error] received, process restarting
Nov 26 19:03:08: State changed to Connecting
Nov 26 19:03:18: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 26 19:03:18: TCP/UDP: Preserving recently used remote address: [AF_INET]99.11.68.146:1194
Nov 26 19:03:18: UDP link local (bound): [AF_INET][undef]:0
Nov 26 19:03:18: UDP link remote: [AF_INET]99.11.68.146:1194
Nov 26 19:03:18: State changed to Authenticating
Nov 26 19:03:18: VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Nov 26 19:03:18: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Nov 26 19:03:18: TLS_ERROR: BIO read tls_read_plaintext error
Nov 26 19:03:18: TLS Error: TLS object -> incoming plaintext read error
Nov 26 19:03:18: TLS Error: TLS handshake failed
Nov 26 19:03:18: SIGUSR1[soft,tls-error] received, process restarting
Nov 26 19:03:18: State changed to Connecting
Nov 26 19:03:29: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Nov 26 19:03:29: TCP/UDP: Preserving recently used remote address: [AF_INET]99.11.68.146:1194
Nov 26 19:03:29: UDP link local (bound): [AF_INET][undef]:0
Nov 26 19:03:29: UDP link remote: [AF_INET]99.11.68.146:1194
Nov 26 19:03:29: State changed to Authenticating
Nov 26 19:03:29: VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Nov 26 19:03:29: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Nov 26 19:03:29: TLS_ERROR: BIO read tls_read_plaintext error
Nov 26 19:03:29: TLS Error: TLS object -> incoming plaintext read error
Nov 26 19:03:29: TLS Error: TLS handshake failed
Nov 26 19:03:29: SIGUSR1[soft,tls-error] received, process restarting
Nov 26 19:03:29: State changed to Connecting
Nov 26 19:03:34: State changed to Disconnecting
Nov 26 19:03:34: State changed to Disconnected
Hi kaduva,

Using a proper SSL certificate like Let's Encrypt is quite pointless as OpenVPN doesn't do any of the normal checks (like CA checks or domain name checks) like HTTPS does. Using something like Let's Encrpyt specifically isn't great either as from memory the server certificate will expire every three months at maximum.

The main problem though is every certificate issued by Let's Encrypt would be seen as valid by the OpenVPN server, meaning anyone could generate a set of certificates from Let's Encrypt and connect to your server, as well as opening you up to MITM attacks from servers simply using a Let's Encrypt certificate.

We have a guide here for generating certificates for your server - https://sparklabs.com/support/kb/articl ... pn-server/

Regards,
Eric
2 posts Page 1 of 1

Copyright © 2016 SparkLabs Pty Ltd. All Rights Reserved. Privacy Policy