my company started usage of new certificatiopn authority called EJBCA, which is running on the JBOSS. I have created and download certification authority certificate with key and generated user certificate. OVPN server is using a certificate with CRL. I am including screenshots. I have created an OVPN server and profile bellow:
Code: Select all
client
dev tap
proto tcp
remote IP 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca S4UVPNIssuingCA2TEST-chain.pem
pkcs12 atest.p12
crl-verify test.crl
verb 6
pull
auth-user-pass
auth-nocache
auth SHA1
cipher AES-256-CBC
reneg-sec 43200
When I try to connect to VPN, client log shows this error:
Mon Oct 29 14:32:59 2018 us=253210 Attempting to establish TCP connection with [AF_INET]IP:1194 [nonblock]
Mon Oct 29 14:32:59 2018 us=253210 MANAGEMENT: >STATE:1540819979,TCP_CONNECT,,,,,,
Mon Oct 29 14:33:00 2018 us=254208 TCP connection established with [AF_INET:IP:1194
Mon Oct 29 14:33:00 2018 us=254208 TCP_CLIENT link local: (not bound)
Mon Oct 29 14:33:00 2018 us=254208 TCP_CLIENT link remote: [AF_INET]IP:1194
Mon Oct 29 14:33:00 2018 us=254208 MANAGEMENT: >STATE:1540819980,WAIT,,,,,,
Mon Oct 29 14:33:00 2018 us=254208 TCP_CLIENT WRITE [14] to [AF_INET]IP:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Mon Oct 29 14:33:00 2018 us=255213 TCP_CLIENT READ [14] from [AF_INET]81.19.2.214:1194: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ ] pid=0 DATA len=0
Mon Oct 29 14:33:00 2018 us=255213 MANAGEMENT: >STATE:1540819980,AUTH,,,,,,
Mon Oct 29 14:33:00 2018 us=255213 TLS: Initial packet from [AF_INET]IP:1194, sid=1f27da72 216847db
Mon Oct 29 14:33:00 2018 us=255213 TCP_CLIENT WRITE [26] to [AF_INET]IP:1194: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 0 ] pid=0 DATA len=0
Mon Oct 29 14:33:00 2018 us=256213 TCP_CLIENT READ [22] from [AF_INET]IP:1194: P_ACK_V1 kid=0 [ 0 ]
Mon Oct 29 14:33:00 2018 us=256213 TCP_CLIENT WRITE [174] to [AF_INET]IP:1194: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=160
Mon Oct 29 14:33:00 2018 us=287382 TCP_CLIENT READ [22] from [AF_INET]IP:1194: P_ACK_V1 kid=0 [ 1 ]
Mon Oct 29 14:33:00 2018 us=514689 TCP_CLIENT READ [1414] from [AF_INETIP:1194: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=1400
Mon Oct 29 14:33:00 2018 us=514689 TCP_CLIENT WRITE [22] to [AF_INET]IP:1194: P_ACK_V1 kid=0 [ 1 ]
Mon Oct 29 14:33:00 2018 us=516695 TCP_CLIENT READ [1342] from [AF_INET]IP:1194: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1328
Mon Oct 29 14:33:00 2018 us=517696 VERIFY WARNING: depth=0, unable to get certificate CRL: CN=VPN Issuing CA2 TEST
Mon Oct 29 14:33:00 2018 us=517696 VERIFY WARNING: depth=1, unable to get certificate CRL: CN=VPN ROOT CA TEST
Mon Oct 29 14:33:00 2018 us=518694 VERIFY OK: depth=1, CN=VPN ROOT CA TEST
Mon Oct 29 14:33:00 2018 us=519692 VERIFY OK: depth=0, CN=VPN Issuing CA2 TEST
Mon Oct 29 14:33:00 2018 us=534705 TCP_CLIENT WRITE [1196] to [AF_INET]IP:1194: P_CONTROL_V1 kid=0 [ 2 ] pid=2 DATA len=1170
Mon Oct 29 14:33:00 2018 us=534705 TCP_CLIENT WRITE [1184] to [AF_INET]IP:1194: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=1170
Mon Oct 29 14:33:00 2018 us=535205 TCP_CLIENT WRITE [1053] to [AF_INET]IP:1194: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len=1039
Mon Oct 29 14:33:00 2018 us=539710 TCP_CLIENT READ [22] from [AF_INET]IP:1194: P_ACK_V1 kid=0 [ 2 ]
Mon Oct 29 14:33:00 2018 us=540209 TCP_CLIENT READ [22] from [AF_INET]IP:1194: P_ACK_V1 kid=0 [ 3 ]
Mon Oct 29 14:33:00 2018 us=540209 TCP_CLIENT READ [22] from [AF_INET]IP:1194: P_ACK_V1 kid=0 [ 4 ]
Mon Oct 29 14:33:00 2018 us=540209 TCP_CLIENT READ [21] from [AF_INET]IP:1194: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=7
Mon Oct 29 14:33:00 2018 us=540209 TCP_CLIENT READ [21] from [AF_INET]IP:1194: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=7
Mon Oct 29 14:33:00 2018 us=540209 OpenSSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
Mon Oct 29 14:33:00 2018 us=540209 TLS_ERROR: BIO read tls_read_plaintext error
Mon Oct 29 14:33:00 2018 us=540711 TLS Error: TLS object -> incoming plaintext read error
Mon Oct 29 14:33:00 2018 us=540711 TLS Error: TLS handshake failed
Mon Oct 29 14:33:00 2018 us=540711 Fatal TLS error (check_tls_errors_co), restarting
Mon Oct 29 14:33:00 2018 us=540711 Fatal TLS error (check_tls_errors_co), restarting
Mon Oct 29 14:33:00 2018 us=540711 TCP/UDP: Closing socket
log on mikrotik shows this:
14:27:39 ovpn,debug <172.16.0.144>: disconnected <TLS failed>
14:28:18 ovpn,debug <172.16.0.144>: disconnected <TLS failed>
14:28:24 ovpn,debug <172.16.0.144>: disconnected <TLS failed>
14:28:31 ovpn,debug <172.16.0.144>: disconnected <peer disconnected>
14:32:33 ovpn,debug <172.16.0.144>: disconnected <TLS failed>
14:32:39 ovpn,debug <172.16.0.144>: disconnected <TLS failed>
14:33:00 ovpn,debug <172.16.0.144>: disconnected <TLS failed>
14:33:06 ovpn,debug <172.16.0.144>: disconnected <peer disconnected>
[ab.admin@tik] > interface ovpn-server server print
enabled: yes
port: 1194
mode: ethernet
netmask: 24
mac-address: FE:51:3F:BB:07:5B
max-mtu: 1500
keepalive-timeout: 60
default-profile: OVPN_TEST
certificate: S4UVPNIssuingCA2TEST-chain (1).pem_1
require-client-certificate: yes
auth: sha1
cipher: aes192,aes256