I can't connect to my VPN server with the XCA generated cert files…
My server log said:
Dec 28 17:17:47 coyote2 daemon.err openvpn: 80.xx.xxx.xx:57038 TLS_ERROR: BIO read tls_read_plaintext error: error:0D11A0A2:asn1 encoding routines:ASN1_mbstring_copy:unknown format
Dec 28 17:17:47 coyote2 daemon.err openvpn: 80.xx.xxx.xx::57038 TLS Error: TLS object -> incoming plaintext read error
Dec 28 17:17:47 coyote2 daemon.err openvpn: 80.xx.xxx.xx::57038 TLS Error: TLS handshake failed
I try to us my "easy-rsa cert's" template, reuse their key, csr but I always get the same error
I tried import and export to file my easy-rsa created certs, and they work properly, so it cannot be export problem…
As I can compare the contents of the certs (XCA vs EasyRSA) is no difference…but somehow the results is not the same :(
The XCA generated server certs works fine…just client certs has problems.
Any ideas to solved this?
The message: "ASN1_mbstring_copy:unknown format" indicates a problematic string-type.
If you look at the details of the 2 certificates in XCA, leave your mouse over the subject name entries.
The Tooltip shows the string type like UTF8STRING or PRINTABLESTRING.
Can you see differences between the easy-rsa and XCA certs there?
Thank you Chris!
The string type was different while the openssl.cnf string_mask was set to nombstr…but the xca default stringtype is utf8… if I set to T61 for example, the selfed generated certs works…great! :)
Do you have an idea, why the UTF8 strings do not work on the client side?
What versions do the openvpn and openssl versions on the client have and what OS is it running on ?
In the openssl.cnf parameter "string_mask = nombstr" is the default. Because this, the server masked out my utf8 strings…Im not certain of it, but maybe this is a depreciated thing…
OpenVPN 2.1.4,+ OpenSSL 0.9.80 @ Win7