Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 2 subscribers
  • Views 7826 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Error message attempting to get the install key file from the Remote Access tab of the UTM User Portal

BillThomson

When I login to the UTM User Portal, go to the Remote Access tab, and click on the Install button to ".. install the SSL VPN configuration on (my)  iOS™ device", I get the message "Error getting SSLVPN package, subtype config, user REF_AaaUseBthomson". 

I had OpenVPN working from my iPhone but encountered problems after I changed the Certificates associated with the UTM server and with my ID.   I was able to login through VPN using the Sophos SSL VPN Client on my laptop.. but now it can't connect either.  It gets that same error message as I get on my iPhone.

I have tried reloading OpenVPN on my iPhone but to no avail.  it almost seems as if the problem is really with my attempt to "Install"/ download the key file package from the User Portal.. before OpenVPN even sees it.   I've tried reinstalling Sophos SSL VPN Client through the User Portal but it also gives that same error message.


Any suggestions on how to proceed?

I appreciate any assistance you can offer.

Bill



This thread was automatically locked due to age.
Parents
  • 0

    Bill, I would delete the bthompson user object along with the associated certificate and then resync the username from your active directory or re-create it if you don't use backend authentication.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob

    That was a good start.  I deleted the bthomson user object and then recreated it..  (not using any active directory) but I'm still having a problem with the client handling the certificate.  Here is the section of the log file created by the Sophos SSL VPN Client.


    Mon Mar 28 20:34:49 2016 TCPv4_CLIENT link local: [undef]
    Mon Mar 28 20:34:49 2016 TCPv4_CLIENT link remote: [AF_INET]71.228.239.77:443
    Mon Mar 28 20:34:49 2016 MANAGEMENT: >STATE:1459215289,WAIT,,,
    Mon Mar 28 20:34:49 2016 MANAGEMENT: >STATE:1459215289,AUTH,,,
    Mon Mar 28 20:34:49 2016 TLS: Initial packet from [AF_INET]71.228.239.77:443, sid=12fdbd4a 5f036917
    Mon Mar 28 20:34:50 2016 VERIFY OK: depth=1, C=us, L=Nashville, TN, O= , CN=  VPN CA, emailAddress=bthomson7504@gmail.com
    Mon Mar 28 20:34:50 2016 VERIFY ERROR: could not extract CN from X509 subject string ('C=us, L=Nashville, TN') -- note that the username length is limited to 64 characters
    Mon Mar 28 20:34:50 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Mon Mar 28 20:34:50 2016 TLS Error: TLS object -> incoming plaintext read error
    Mon Mar 28 20:34:50 2016 TLS Error: TLS handshake failed
    Mon Mar 28 20:34:50 2016 Fatal TLS error (check_tls_errors_co), restarting
    Mon Mar 28 20:34:50 2016 SIGUSR1[soft,tls-error] received, process restarting
    Mon Mar 28 20:34:50 2016 MANAGEMENT: >STATE:1459215290,RECONNECTING,tls-error,,
    Mon Mar 28 20:34:50 2016 Restart pause, 5 second(s)

    When I first set up the UTM server, on the Management, System Settings screen, on the Organization tab, I set the city field to 'Nashville, TN'.  Now I see in the log file, the Subject string of  'C=us, L=Nashville, TN, O= ,CN= VPN', The parser finds the C attribute equal to 'us', the L attribute equal to Nashville, and an unexpected  TN attribute without the trailing equals sign and chokes there.  I have since gone back and redefined the city field on the Organization tab to 'Nashville' leaving off the ', TN'.. but as I see from the log file the city is still set to 'Nashville, TN'.   If this is, in fact, the error, how do I fix it in the database?

    Bill

Reply
  • 0 in reply to BAlfson

    Thanks Bob

    That was a good start.  I deleted the bthomson user object and then recreated it..  (not using any active directory) but I'm still having a problem with the client handling the certificate.  Here is the section of the log file created by the Sophos SSL VPN Client.


    Mon Mar 28 20:34:49 2016 TCPv4_CLIENT link local: [undef]
    Mon Mar 28 20:34:49 2016 TCPv4_CLIENT link remote: [AF_INET]71.228.239.77:443
    Mon Mar 28 20:34:49 2016 MANAGEMENT: >STATE:1459215289,WAIT,,,
    Mon Mar 28 20:34:49 2016 MANAGEMENT: >STATE:1459215289,AUTH,,,
    Mon Mar 28 20:34:49 2016 TLS: Initial packet from [AF_INET]71.228.239.77:443, sid=12fdbd4a 5f036917
    Mon Mar 28 20:34:50 2016 VERIFY OK: depth=1, C=us, L=Nashville, TN, O= , CN=  VPN CA, emailAddress=bthomson7504@gmail.com
    Mon Mar 28 20:34:50 2016 VERIFY ERROR: could not extract CN from X509 subject string ('C=us, L=Nashville, TN') -- note that the username length is limited to 64 characters
    Mon Mar 28 20:34:50 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Mon Mar 28 20:34:50 2016 TLS Error: TLS object -> incoming plaintext read error
    Mon Mar 28 20:34:50 2016 TLS Error: TLS handshake failed
    Mon Mar 28 20:34:50 2016 Fatal TLS error (check_tls_errors_co), restarting
    Mon Mar 28 20:34:50 2016 SIGUSR1[soft,tls-error] received, process restarting
    Mon Mar 28 20:34:50 2016 MANAGEMENT: >STATE:1459215290,RECONNECTING,tls-error,,
    Mon Mar 28 20:34:50 2016 Restart pause, 5 second(s)

    When I first set up the UTM server, on the Management, System Settings screen, on the Organization tab, I set the city field to 'Nashville, TN'.  Now I see in the log file, the Subject string of  'C=us, L=Nashville, TN, O= ,CN= VPN', The parser finds the C attribute equal to 'us', the L attribute equal to Nashville, and an unexpected  TN attribute without the trailing equals sign and chokes there.  I have since gone back and redefined the city field on the Organization tab to 'Nashville' leaving off the ', TN'.. but as I see from the log file the city is still set to 'Nashville, TN'.   If this is, in fact, the error, how do I fix it in the database?

    Bill

Children
  • 0 in reply to BillThomson

    Use the trick referred to in The Zeroeth Rule in

    That will leave you with all new certificates based on a new CA. You now know not to play around with the underlying certificate chain.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML