search

OpenVPN / easy-rsa

easy-rsa - Simple shell based CA utility
Other
4k stars 1.19k forks source link

Connection reset using easy-rsa 3.0 #43

Closed mgcrea closed 9 years ago

mgcrea commented 9 years ago

I can't make an OpenVPN server work with the new easy-rsa 3.0 setup. Worked flawlessly in the past with the bundled 2.0-branch. Tried it on two separate host providers (one with a working legacy config).

# uname -a
Linux server-asia 3.13.0-24-generic #47-Ubuntu SMP Fri May 2 23:30:00 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

I get a TLS error on my client (OSX 10.10 Viscosity):

Sep 24 01:33:29: Attempting to establish TCP connection with [AF_INET]128.199.237.115:443 [nonblock]
Sep 24 01:33:30: TCP connection established with [AF_INET]128.191.237.215:443
Sep 24 01:33:30: TCPv4_CLIENT link local: [undef]
Sep 24 01:33:30: TCPv4_CLIENT link remote: [AF_INET]128.191.237.215:443
Sep 24 01:33:37: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sep 24 01:33:37: TLS Error: TLS object -> incoming plaintext read error
Sep 24 01:33:37: TLS Error: TLS handshake failed
Sep 24 01:33:37: Fatal TLS error (check_tls_errors_co), restarting
Sep 24 01:33:37: SIGUSR1[soft,tls-error] received, process restarting
# openssl verify -CAfile ca.crt issued/server@foobar.com.crt 
issued/server@foobar.com.crt: OK
# openssl verify -CAfile ca.crt issued/admin@foobar.com.crt 
issued/admin@foobar.com.crt: OK

Full server logs:

Tue Sep 23 19:30:38 2014 us=217227 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb  4 2014
Tue Sep 23 19:30:38 2014 us=217468 WARNING: --ifconfig-pool-persist will not work with --duplicate-cn
Tue Sep 23 19:30:38 2014 us=231950 Diffie-Hellman initialized with 2048 bit key
Tue Sep 23 19:30:38 2014 us=233359 Control Channel Authentication: using 'pki/ta.key' as a OpenVPN static key file
Tue Sep 23 19:30:38 2014 us=233416 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Sep 23 19:30:38 2014 us=233451 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Sep 23 19:30:38 2014 us=233512 TLS-Auth MTU parms [ L:1560 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Sep 23 19:30:38 2014 us=233579 Socket Buffers: R=[87380->131072] S=[87380->131072]
Tue Sep 23 19:30:38 2014 us=233823 ROUTE_GATEWAY 128.199.192.1/255.255.192.0 IFACE=eth0 HWADDR=04:01:28:e5:88:01
Tue Sep 23 19:30:38 2014 us=234334 TUN/TAP device tun0 opened
Tue Sep 23 19:30:38 2014 us=234385 TUN/TAP TX queue length set to 100
Tue Sep 23 19:30:38 2014 us=234446 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Sep 23 19:30:38 2014 us=234511 /sbin/ip link set dev tun0 up mtu 1500
Tue Sep 23 19:30:38 2014 us=238452 /sbin/ip addr add dev tun0 local 10.50.0.1 peer 10.50.0.2
Tue Sep 23 19:30:38 2014 us=242759 /sbin/ip route add 10.50.0.0/24 via 10.50.0.2
Tue Sep 23 19:30:38 2014 us=246760 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Sep 23 19:30:38 2014 us=251290 GID set to nogroup
Tue Sep 23 19:30:38 2014 us=251426 UID set to nobody
Tue Sep 23 19:30:38 2014 us=251529 Listening for incoming TCP connection on [undef]
Tue Sep 23 19:30:38 2014 us=251602 TCPv4_SERVER link local (bound): [undef]
Tue Sep 23 19:30:38 2014 us=251628 TCPv4_SERVER link remote: [undef]
Tue Sep 23 19:30:38 2014 us=251672 MULTI: multi_init called, r=256 v=256
Tue Sep 23 19:30:38 2014 us=251842 IFCONFIG POOL: base=10.50.0.4 size=62, ipv6=0
Tue Sep 23 19:30:38 2014 us=251879 IFCONFIG POOL LIST
Tue Sep 23 19:30:38 2014 us=251955 MULTI: TCP INIT maxclients=1024 maxevents=1028
Tue Sep 23 19:30:38 2014 us=252047 Initialization Sequence Completed
Tue Sep 23 19:30:43 2014 us=360073 MULTI: multi_create_instance called
Tue Sep 23 19:30:43 2014 us=360148 Re-using SSL/TLS context
Tue Sep 23 19:30:43 2014 us=360198 LZO compression initialized
Tue Sep 23 19:30:43 2014 us=360484 Control Channel MTU parms [ L:1560 D:168 EF:68 EB:0 ET:0 EL:0 ]
Tue Sep 23 19:30:43 2014 us=360521 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Tue Sep 23 19:30:43 2014 us=360609 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Tue Sep 23 19:30:43 2014 us=360623 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Tue Sep 23 19:30:43 2014 us=360653 Local Options hash (VER=V4): '9915e4a2'
Tue Sep 23 19:30:43 2014 us=360670 Expected Remote Options hash (VER=V4): '2f2c6498'
Tue Sep 23 19:30:43 2014 us=360713 TCP connection established with [AF_INET]85.168.116.160:41848
Tue Sep 23 19:30:43 2014 us=360735 TCPv4_SERVER link local: [undef]
Tue Sep 23 19:30:43 2014 us=360747 TCPv4_SERVER link remote: [AF_INET]85.168.116.160:41848
Tue Sep 23 19:30:43 2014 us=791973 85.168.116.160:41848 TCPv4_SERVER READ [42] from [AF_INET]85.168.116.160:41848: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 pid=[ #1 ] [ ] pid=0 DATA len=0
Tue Sep 23 19:30:43 2014 us=792066 85.168.116.160:41848 TLS: Initial packet from [AF_INET]85.168.116.160:41848, sid=dee1457d a616639a
Tue Sep 23 19:30:43 2014 us=792137 85.168.116.160:41848 TCPv4_SERVER WRITE [54] to [AF_INET]85.168.116.160:41848: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 pid=[ #1 ] [ 0 ] pid=0 DATA len=0
Tue Sep 23 19:30:44 2014 us=65553 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #2 ] [ 0 ]
Tue Sep 23 19:30:44 2014 us=589910 85.168.116.160:41848 TCPv4_SERVER READ [142] from [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #3 ] [ ] pid=1 DATA len=100
Tue Sep 23 19:30:44 2014 us=590089 85.168.116.160:41848 TCPv4_SERVER WRITE [50] to [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #2 ] [ 1 ]
Tue Sep 23 19:30:44 2014 us=590145 85.168.116.160:41848 TCPv4_SERVER READ [142] from [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #4 ] [ ] pid=2 DATA len=100
Tue Sep 23 19:30:44 2014 us=590179 85.168.116.160:41848 TCPv4_SERVER WRITE [50] to [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #3 ] [ 2 ]
Tue Sep 23 19:30:44 2014 us=590239 85.168.116.160:41848 TCPv4_SERVER READ [54] from [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=3 DATA len=12
Tue Sep 23 19:30:44 2014 us=598868 85.168.116.160:41848 TCPv4_SERVER WRITE [154] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #4 ] [ 3 ] pid=1 DATA len=100
Tue Sep 23 19:30:44 2014 us=598930 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #5 ] [ ] pid=2 DATA len=100
Tue Sep 23 19:30:44 2014 us=598963 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #6 ] [ ] pid=3 DATA len=100
Tue Sep 23 19:30:44 2014 us=598994 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #7 ] [ ] pid=4 DATA len=100
Tue Sep 23 19:30:45 2014 us=205548 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #6 ] [ 1 ]
Tue Sep 23 19:30:45 2014 us=205856 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #8 ] [ ] pid=5 DATA len=100
Tue Sep 23 19:30:45 2014 us=513674 85.168.116.160:41848 TCPv4_SERVER READ [58] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #7 ] [ 2 3 4 ]
Tue Sep 23 19:30:45 2014 us=514112 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #9 ] [ ] pid=6 DATA len=100
Tue Sep 23 19:30:45 2014 us=514414 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #10 ] [ ] pid=7 DATA len=100
Tue Sep 23 19:30:45 2014 us=514687 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #11 ] [ ] pid=8 DATA len=100
Tue Sep 23 19:30:45 2014 us=816397 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #8 ] [ 5 ]
Tue Sep 23 19:30:45 2014 us=816985 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #12 ] [ ] pid=9 DATA len=100
Tue Sep 23 19:30:46 2014 us=126131 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #9 ] [ 6 ]
Tue Sep 23 19:30:46 2014 us=126617 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #13 ] [ ] pid=10 DATA len=100
Tue Sep 23 19:30:46 2014 us=430853 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #10 ] [ 7 ]
Tue Sep 23 19:30:46 2014 us=431141 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #14 ] [ ] pid=11 DATA len=100
Tue Sep 23 19:30:46 2014 us=431264 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #11 ] [ 8 ]
Tue Sep 23 19:30:46 2014 us=431373 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #15 ] [ ] pid=12 DATA len=100
Tue Sep 23 19:30:46 2014 us=742011 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #12 ] [ 9 ]
Tue Sep 23 19:30:46 2014 us=742301 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #16 ] [ ] pid=13 DATA len=100
Tue Sep 23 19:30:47 2014 us=16007 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #13 ] [ 10 ]
Tue Sep 23 19:30:47 2014 us=16299 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #17 ] [ ] pid=14 DATA len=100
Tue Sep 23 19:30:47 2014 us=350147 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #14 ] [ 11 ]
Tue Sep 23 19:30:47 2014 us=350480 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #18 ] [ ] pid=15 DATA len=100
Tue Sep 23 19:30:47 2014 us=350589 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #15 ] [ 12 ]
Tue Sep 23 19:30:47 2014 us=350733 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #19 ] [ ] pid=16 DATA len=100
Tue Sep 23 19:30:47 2014 us=660243 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #16 ] [ 13 ]
Tue Sep 23 19:30:47 2014 us=660552 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #20 ] [ ] pid=17 DATA len=100
Tue Sep 23 19:30:47 2014 us=962036 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #17 ] [ 14 ]
Tue Sep 23 19:30:47 2014 us=962357 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #21 ] [ ] pid=18 DATA len=100
Tue Sep 23 19:30:48 2014 us=278178 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #18 ] [ 15 ]
Tue Sep 23 19:30:48 2014 us=278449 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #22 ] [ ] pid=19 DATA len=100
Tue Sep 23 19:30:48 2014 us=278557 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #19 ] [ 16 ]
Tue Sep 23 19:30:48 2014 us=278665 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #23 ] [ ] pid=20 DATA len=100
Tue Sep 23 19:30:48 2014 us=579654 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #20 ] [ 17 ]
Tue Sep 23 19:30:48 2014 us=580759 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #24 ] [ ] pid=21 DATA len=100
Tue Sep 23 19:30:48 2014 us=891116 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #21 ] [ 18 ]
Tue Sep 23 19:30:48 2014 us=891250 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #25 ] [ ] pid=22 DATA len=100
Tue Sep 23 19:30:49 2014 us=196226 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #22 ] [ 19 ]
Tue Sep 23 19:30:49 2014 us=196537 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #26 ] [ ] pid=23 DATA len=100
Tue Sep 23 19:30:49 2014 us=196651 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #23 ] [ 20 ]
Tue Sep 23 19:30:49 2014 us=196759 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #27 ] [ ] pid=24 DATA len=100
Tue Sep 23 19:30:49 2014 us=519527 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #24 ] [ 21 ]
Tue Sep 23 19:30:49 2014 us=519869 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #28 ] [ ] pid=25 DATA len=100
Tue Sep 23 19:30:49 2014 us=809538 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #25 ] [ 22 ]
Tue Sep 23 19:30:49 2014 us=809899 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #29 ] [ ] pid=26 DATA len=100
Tue Sep 23 19:30:50 2014 us=119011 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #26 ] [ 23 ]
Tue Sep 23 19:30:50 2014 us=119486 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #30 ] [ ] pid=27 DATA len=100
Tue Sep 23 19:30:50 2014 us=119721 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #27 ] [ 24 ]
Tue Sep 23 19:30:50 2014 us=119965 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #31 ] [ ] pid=28 DATA len=100
Tue Sep 23 19:30:50 2014 us=426847 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #28 ] [ 25 ]
Tue Sep 23 19:30:50 2014 us=427347 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #32 ] [ ] pid=29 DATA len=100
Tue Sep 23 19:30:50 2014 us=730333 85.168.116.160:41848 TCPv4_SERVER READ [50] from [AF_INET]85.168.116.160:41848: P_ACK_V1 kid=0 pid=[ #29 ] [ 26 ]
Tue Sep 23 19:30:50 2014 us=730837 85.168.116.160:41848 TCPv4_SERVER WRITE [142] to [AF_INET]85.168.116.160:41848: P_CONTROL_V1 kid=0 pid=[ #33 ] [ ] pid=30 DATA len=100
Tue Sep 23 19:30:50 2014 us=731862 85.168.116.160:41848 Connection reset, restarting [0]
Tue Sep 23 19:30:50 2014 us=732105 85.168.116.160:41848 SIGUSR1[soft,connection-reset] received, client-instance restarting
Tue Sep 23 19:30:50 2014 us=732363 TCP/UDP: Closing socket

Only advice found so far is to regenerate the CA...

Ansible playbook used to generate the config:

- name: OpenVPN | EasyRSA | Checkout project
  git: repo=https://github.com/OpenVPN/easy-rsa.git accept_hostkey=True
       remote=github version=master
       dest=/etc/openvpn/easyrsa
- name: OpenVPN | EasyRSA | Link project
  file: src=./easyrsa/easyrsa3/pki dest=/etc/openvpn/pki owner=root group=root force=yes state=link

- name: OpenVPN | Deploy vars configuration
  template: src=vars.j2 dest=/etc/openvpn/easyrsa/easyrsa3/vars owner=root group=root mode=0644
  register: result
- name: OpenVPN | Intialize PKI
  shell: echo 'yes' | ./easyrsa init-pki chdir=/etc/openvpn/easyrsa/easyrsa3
  when: result | changed
- name: OpenVPN | Build CA
  shell: ./easyrsa build-ca ca@{{ openvpn_server_name }} nopass chdir=/etc/openvpn/easyrsa/easyrsa3
  when: result | changed
- name: OpenVPN | Build Server
  shell: ./easyrsa build-server-full server@{{ openvpn_server_name }} nopass chdir=/etc/openvpn/easyrsa/easyrsa3
  when: result | changed
- name: OpenVPN | Build Clients
  shell: ./easyrsa build-client-full {{ item }}@{{ openvpn_server_name }} nopass chdir=/etc/openvpn/easyrsa/easyrsa3
  when: result | changed
  with_items:
    - admin
    - player
- name: OpenVPN | Build dh.pem
  shell: ./easyrsa gen-dh chdir=/etc/openvpn/easyrsa/easyrsa3
  when: result | changed
- name: OpenVPN | Build ta.key
  shell: openvpn --genkey --secret ta.key chdir=/etc/openvpn/easyrsa/easyrsa3/pki
  when: result | changed
- name: OpenVPN | Archive configuration
  shell: tar -cvzf /root/openvpn.tgz * chdir=/etc/openvpn creates=/root/openvpn.tgz
  when: result | changed
- fetch: src=/root/openvpn.tgz dest=fetched
  when: result | changed
QueuingKoala commented 9 years ago

The error on your client ("TLS_ERROR: BIO read tls_read_plaintext error ...") is returned dirctly from the OpenSSL library as it attempts to process the TLS connection.

When dealing with validation issues, don't test using a local copy of the "issued" certs since that may not represent what the far peer is sending. You should get a current copy of the cert the server's live config is using, copy that to the client, and validate that copy against the client's local CA (again, the one referenced by its live config.)

Chances are good this will fail validation given your client's error. Common causes are using a miss-matched cert on the far system (your server) or a miss-matched CA on the local one (your client.)

More useful openvpn output can usually be had at --verb 4 as well.

mgcrea commented 9 years ago

@QueuingKoala Thanks for the help. Finally found out that it was the ns-cert-type server option on the client side that was breaking things. Used to work with EasyRSA2, not sure if it's a bug or not.

QueuingKoala commented 9 years ago

For reference, the "Netscape" cert-type (aka nsCertType) field is not recommended by standards documents. Easy-RSA 3 no longer supports this by default, although support can be enabled if backwards-compatibility is required with a legacy system (see vars comments.)

Since it sounds like this question was resolved earlier, I'll close this issue.