Closed mgcrea closed 9 years ago
The error on your client ("TLS_ERROR: BIO read tls_read_plaintext error ...") is returned dirctly from the OpenSSL library as it attempts to process the TLS connection.
When dealing with validation issues, don't test using a local copy of the "issued" certs since that may not represent what the far peer is sending. You should get a current copy of the cert the server's live config is using, copy that to the client, and validate that copy against the client's local CA (again, the one referenced by its live config.)
Chances are good this will fail validation given your client's error. Common causes are using a miss-matched cert on the far system (your server) or a miss-matched CA on the local one (your client.)
More useful openvpn output can usually be had at --verb 4
as well.
@QueuingKoala Thanks for the help. Finally found out that it was the ns-cert-type server
option on the client side that was breaking things. Used to work with EasyRSA2, not sure if it's a bug or not.
For reference, the "Netscape" cert-type (aka nsCertType) field is not recommended by standards documents. Easy-RSA 3 no longer supports this by default, although support can be enabled if backwards-compatibility is required with a legacy system (see vars comments.)
Since it sounds like this question was resolved earlier, I'll close this issue.
I can't make an OpenVPN server work with the new easy-rsa 3.0 setup. Worked flawlessly in the past with the bundled 2.0-branch. Tried it on two separate host providers (one with a working legacy config).
I get a TLS error on my client (OSX 10.10 Viscosity):
Full server logs:
Only advice found so far is to regenerate the CA...
Ansible playbook used to generate the config: