CentOS7的openvpn报错:VERIFY ERROR: depth=0, error=certificate signature failure

原创 2018年04月16日 14:04:01

[CentOS7:OpenVPN] VERIFY ERROR: depth=0, error=certificate signature failure

Problems

  • On CentOS 7, OpenVPN failes to make a connection to VPN.
  • OpenVPN conf used to work on CentIS 6.5

Errors

Sat Aug 30 10:52:03 2014 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 14 2014
Sat Aug 30 10:52:06 2014 VERIFY OK: depth=1, C=XX, ST=XX, L=MYTOWN, O=OpenVPN-Myprovider, CN=vpn.server.com, emailAddress=admin@vpn.server.com
Sat Aug 30 10:52:06 2014 VERIFY ERROR: depth=0, error=certificate signature failure: C=XX, ST=MYTOWN, O=OpenVPN-Myprovider, CN=vpn.server.com, emailAddress=admin@vpn.server.com
Sat Aug 30 10:52:06 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Aug 30 10:52:06 2014 TLS Error: TLS object -> incoming plaintext read error
Sat Aug 30 10:52:06 2014 TLS Error: TLS handshake failed
Sat Aug 30 10:52:06 2014 SIGUSR1[soft,tls-error] received, process restarting

Why this happened?

The certificate used for OpenVPN is encrypted with MD5 and SHA1, but CentOS 7 doesn’t support it as default.

How to resolve this problem?

There are two possible solution,

  1. Generate a certificate without using MD5
  2. Enable MD5 support on CentOS 7

How to enable MD5 support on CentOS 7?

  • Temporally enable it.
export NSS_HASH_ALG_SUPPORT=+MD5
export OPENSSL_ENABLE_MD5_VERIFY=1
  •  Enable MD5 support through NetworkManager
$ sudo vim /usr/lib/systemd/system/NetworkManager.service

Append this.

[Service]
Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5"

And restart daemon

$ sudo systemctl daemon-reload
$ sudo systemctl restart NetworkManager.service

References

OpenVPN Unsupported Certificate Purpose

Having set up a new OpenVPN system, I suddenly struggled with the following error message in my sysl...
  • zahuopuboss
  • zahuopuboss
  • 2016-12-14 00:41:56
  • 631

OpenSSL命令---verify

该命令是证书验证工具
  • as3luyuan123
  • as3luyuan123
  • 2013-11-21 22:35:27
  • 7103

【Git笔记】"error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"解决方法

使用git通过https方式从github clone git repo源码时,报错如下: Cloning into 'git'... fatal: unable to access 'https:...
  • slvher
  • slvher
  • 2014-01-08 17:49:41
  • 20046

解决问题中 keyword: goahead ssl arm

我已将openssl移植到arm板中,webserver使用的是GoAhead webserver, webserver运行成功加载证书及key文件,IE可以下载证书,但是打不开web页面。 用ope...
  • huanghuibo
  • huanghuibo
  • 2010-11-26 21:52:00
  • 3548

Xcode SVN 报错 The server certificate failed to verify.

The server certificate failed to verify. xcode 的升级或者 切换xcode版本的时候 会出现这种错误 解决办法: 1、打开终端(实用工具 -->终...
  • czxghostyueqiu
  • czxghostyueqiu
  • 2015-02-08 09:21:48
  • 6620

apns verify error:num=20:unable to get local issuer

在给新产品加推送功能的时候,公司的服务器小伙子告诉我,在测试服务器和APN连接的时候遇到了verify error:num=20:unable to get local issuer certific...
  • ttomqq
  • ttomqq
  • 2015-10-15 18:10:34
  • 1082

git error setting certificate verify locations

**Git error setting certificate verify locations 的问题** 今天在新电脑用git clone的时候出现一个错误,导致无法克隆成功,错误大体描述为...
  • Dam_Long
  • Dam_Long
  • 2016-11-09 11:11:01
  • 3579

“error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed”解决方法

使用git通过https方式从github clone git repo源码时,报错如下: 1 2 3 Cloning into 'git'... ...
  • ee230
  • ee230
  • 2015-01-04 14:08:14
  • 13108

UNABLE_TO_VERIFY_LEAF_SIGNATURE

使用nodemailer的时候,遇到一个问题, { [Error: unable to verify the first certificate] code: 'UNABLE_TO_VERI...
  • zgrbsbf
  • zgrbsbf
  • 2016-09-07 14:58:29
  • 699

Apache 无法启动 err_log提示SSL Library Error: -8181 Certificate has expired

原本一直正常运行的apache服务器,今天无法正常重启,检查http.conf及其他设置并无修改,按log提示是由于SSL证书过期导致无法正常启动,处理方法如下: 查看error_log发现以下提示...
  • vicjay007
  • vicjay007
  • 2015-05-18 10:25:47
  • 1185
收藏助手
不良信息举报
您举报文章:CentOS7的openvpn报错:VERIFY ERROR: depth=0, error=certificate signature failure
举报原因:
原因补充:

(最多只允许输入30个字)