OpenVPN Profile Peer certificate verification Failure

I am working with a Balance One FW 8.3.0 build 5514 trying to setup openVPN server.

After enabling Remote User access and download the OpenVPN profile file from the status page I get this error:

Error message: Peer certificate verification failure

screenshot 1084.png748×494 22.9 KB

I have tried both profiles (route all dns or not) and both results in same error.

On the client computer this is what I can see in the logs, any ideas what I’m doing wrong?
P.S when tested L2TPP server I am able to connect just fine, however its very slow hence the hope OpenVPN will be faster.

⏎[Dec 26, 2023, 14:56:17] Frame=512/2048/512 mssfix-ctrl=1250

⏎[Dec 26, 2023, 14:56:17] UNUSED OPTIONS

5 [resolv-retry] [infinite]

6 [nobind]

7 [persist-key]

8 [persist-tun]

10 [verb] [3]

13 [tls-client]

⏎[Dec 26, 2023, 14:56:17] EVENT: RESOLVE ⏎[Dec 26, 2023, 14:56:17] Contacting 50.***.***.161:1194 via UDP

⏎[Dec 26, 2023, 14:56:17] EVENT: WAIT ⏎[Dec 26, 2023, 14:56:17] UnixCommandAgent: transmitting bypass route to /var/run/agent_ovpnconnect.sock

{

	"host" : "50.***.***.161",

	"ipv6" : false,

	"pid" : 812

}

⏎[Dec 26, 2023, 14:56:17] Connecting to [50.***.***.161]:1194 (50.***.***.161) via UDPv4

⏎[Dec 26, 2023, 14:56:17] EVENT: CONNECTING ⏎[Dec 26, 2023, 14:56:17] Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,cipher AES-256-GCM,auth [null-digest],keysize 256,key-method 2,tls-client

⏎[Dec 26, 2023, 14:56:17] Creds: Username/Password

⏎[Dec 26, 2023, 14:56:17] Peer Info:

IV_VER=3.git::d06e216e

IV_PLAT=mac

IV_NCP=2

IV_TCPNL=1

IV_PROTO=30

IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305

IV_GUI_VER=OCmacOS_3.3.1-4000

IV_SSO=openurl,crtext

⏎[Dec 26, 2023, 14:56:18] Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

⏎[Dec 26, 2023, 14:56:18] EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed⏎[Dec 26, 2023, 14:56:18] EVENT: DISCONNECTED ⏎[Dec 26, 2023, 14:56:22] Raw stats on disconnect:

 BYTES_IN : 3171

 BYTES_OUT : 521

 PACKETS_IN : 5

 PACKETS_OUT : 4

 SSL_ERROR : 1

 CERT_VERIFY_FAIL : 1

I installed another VPN Client that support OpenVPN (TunnelBlick) and in its log I can see something about expired certificate. but I have just enabled and created the profile on the Balnce one.
Under Certificates in the sidebar I only see Default Certificate is used w/o option to revoke or regenerate.

2023-12-26 18:27:26.742826 VERIFY ERROR: depth=1, error=certificate has expired: C=US, O=Peplink, CN=OpenVPN CA/[email protected], serial=71978259974721770160327875745257801959083863175

2023-12-26 18:27:26.742982 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

2023-12-26 18:27:26.743054 TLS_ERROR: BIO read tls_read_plaintext error

2023-12-26 18:27:26.743306 TLS Error: TLS object -> incoming plaintext read error

2023-12-26 18:27:26.743351 TLS Error: TLS handshake failed

2023-12-26 18:27:26.744632 SIGUSR1[soft,tls-error] received, process restarting

2023-12-26 18:27:26.744745 MANAGEMENT: >STATE:1703590046,RECONNECTING,tls-error,,,,,

2023-12-26 18:27:26.755475 MANAGEMENT: CMD 'hold release'

updated to 8.4.0 but that didn’t help.

contacting support didn’t help. no one bothered replying my ticket. great.

solution for me was to install my own generated valid OpenVPN certs.
in case someone else hitting same issue, ran this on my local machine to generate the CA and then copy/pasted the files content into the OpenSSL certificate section in Certificate Manager section (Network → Misc → Certificate Manager)

run this one liner and fill the details in the prompts. this is valid for 10 years. adjust your line as needed.

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 3650

Mind sharing the ticket number? This allows me to understand what is going wrong. Fyi, I don’t see the reported issue with the latest firmware version.