Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 32762 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN - Certificate Validation Issue

DanielHeim
Greetings,

I'm trying to set up SSL Remote Access,but I'm stuck on certificates.

We have a windows based PKI with 
an Offline Root CA > Root CA and an issuing enterprise CA > ADM1CA.

The client PC that tries to connect has both certificates installed.
Root CA > Local Machine > Trusted Root CA
ADM1CA > Local Machine > Intermediate CA

On our UTM i installed ADM1CA as CA with private key.

The SSL Installer delivers two certificates:
utm..ca
utm..user

Both certificates look valid.

But while trying to connect, certifcate validation fails. 

Wed Sep 16 08:29:33 2015 TLS: Initial packet from [AF_INET]80.152.58.170:443, sid=419cac96 6d346704

Wed Sep 16 08:29:33 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Wed Sep 16 08:29:33 2015 VERIFY ERROR: depth=1, error=unable to get local issuer certificate: DC=de, DC=, CN=ADM1CA

Wed Sep 16 08:29:33 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Wed Sep 16 08:29:33 2015 TLS Error: TLS object -> incoming plaintext read error

Wed Sep 16 08:29:33 2015 TLS Error: TLS handshake failed


Any ideas on how to resolve this issue?


This thread was automatically locked due to age.
Parents
  • 0
    Update, if I add the root CA to the file <Server>.ca.crt (it's just PEM encoded text, I pasted the certificate block in at the end) then the client checks out OK, and this solves the verify problem previously posted.

    Next issue, the server side error "error=self signed certificate in certificate chain"
    Well, yes, root CAs generally are self signed...
    The offending root CA is listed as a verification CA (it's the same one used by Webadmin) on the CA page.

    Thoughts welcome, my next step is to look at the UTM config to see whether it needs adjusting to understand this self-signed cert. After all, the factory-default VPN CA is self-signed too...
Reply
  • 0
    Update, if I add the root CA to the file <Server>.ca.crt (it's just PEM encoded text, I pasted the certificate block in at the end) then the client checks out OK, and this solves the verify problem previously posted.

    Next issue, the server side error "error=self signed certificate in certificate chain"
    Well, yes, root CAs generally are self signed...
    The offending root CA is listed as a verification CA (it's the same one used by Webadmin) on the CA page.

    Thoughts welcome, my next step is to look at the UTM config to see whether it needs adjusting to understand this self-signed cert. After all, the factory-default VPN CA is self-signed too...
Children
No Data
Unfiltered HTML