Can’t connect to OpenVPN on Linux, VERIFY_ERROR, TLS_ERROR?

If you’re unable to connect to OpenVPN on Linux (Feodra 21, recent Ubuntu, etc) and are seeing errors like:

VERIFY ERROR: depth=0, error=certificate signature failure: C=AU, ST=WA, O=ExampleCompany, CN=server, [email protected]
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed

Then it could be that the remote certificate isn’t signed correctly or some other genuine issue exists.

However, if you’re on recent Fedora, Ubuntu or Debian releases you might also have a version of openssl that has the MD5 digest algorithm disabled by default. This will cause the certificate verification on OpenVPN to fail.

Try again with:

OPENSSL_ENABLE_MD5_VERIFY=1 openvpn client.ovpn

(or if you use sudo normally):

sudo OPENSSL_ENABLE_MD5_VERIFY=1 openvpn client.ovpn

to see if this causes the handshake to succeed.

If so, you might want to set that in your NetworkManager environment. How to do that depends on your distro.

Even better, just upgrade your certificate to SHA256.

1 reply

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *