New certificates fail..log shows "plain text errors"

jttraversejttraverse
in VPN Setup Support
I may be having similar problems to some others but, in response to the email about the Russian troubles, I removed the previous certificate and installed one of the new ones available today. Actually, I started with the new default certificate and then tried the 'strong' one after having problems with the first, but they both fail to connect afterward. The log file indicates a 'plain text error' of some sort. I double checked and carefully copied and reinstalled them, but still no go..

  I've reinstalled the previous certificate and have connected again with no problems....so there appears to be a common problem with both of the new certificates, at least for me.

Comments

  • legalinglelegalingle
    Same issue here too. Using OPENVPN client on Tomato Shibby. Replaced the CA cert using the last ZIP tonight after I could no longer connect and read about the Russia issues, but client will not connect. Similar 'plain text' syslog errors. I have not tried the older CA cert though as I only did this when I realized my VPN was not working this evening.
  • nomoficanomofica
    I'm also unable to establish a link to any PIA VPN server via pfSense after updating the CA certificate.The connection doesn't accept the CA certificate. From my sys logs:

    TimeProcessPIDMessage
    Jul 11 22:05:13openvpn67502VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, [email protected]
    Jul 11 22:05:13openvpn67502OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Jul 11 22:05:13openvpn67502TLS_ERROR: BIO read tls_read_plaintext error
    Jul 11 22:05:13openvpn67502TLS Error: TLS object -> incoming plaintext read error
    Jul 11 22:05:13openvpn67502TLS Error: TLS handshake failed
  • legalinglelegalingle
    Similar log results here:

    Jul 11 23:18:13 home daemon.err openvpn[28751]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, [email protected]
    Jul 11 23:18:13 home daemon.err openvpn[28751]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134)
    Jul 11 23:18:13 home daemon.err openvpn[28751]: TLS Error: TLS object -> incoming plaintext read error
    Jul 11 23:18:13 home daemon.err openvpn[28751]: TLS Error: TLS handshake failed
    Jul 11 23:18:13 home daemon.notice openvpn[28751]: SIGUSR1[soft,tls-error] received, process restarting
  • preikschatpreikschat
    I am experiencing the same  issue using the certificate in the STRONG (udp) configuration file.  Platform OPENWRT

    Tue Jul 12 15:39:15 2016 daemon.err openvpn(Netherlands_GW)[1666]: VERIFY ERROR: depth=1, flags=8, C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, [email protected]
    Tue Jul 12 15:39:15 2016 daemon.warn openvpn(Netherlands_GW)[1666]: CRL: CRL /etc/openvpn/crl.rsa.4096.pem is from a different issuer than the issuer of certificate C=US, ST=CA, L=LosAngeles, O=Private Internet Access, OU=Private Internet Access, CN=ecf414752c348831951f3b60178fa02e, ??=ecf414752c348831951f3b60178fa02e
    Tue Jul 12 15:39:15 2016 daemon.err openvpn(Netherlands_GW)[1666]: TLS_ERROR: read tls_read_plaintext error: -9984 X509 - Certificate verification failed, e.g. CRL, CA or signature check failed
    Tue Jul 12 15:39:15 2016 daemon.err openvpn(Netherlands_GW)[1666]: TLS Error: TLS object -> incoming plaintext read error
    Tue Jul 12 15:39:15 2016 daemon.err openvpn(Netherlands_GW)[1666]: TLS Error: TLS handshake failed

  • Blade_RunnerBlade_Runner
    nomofica said:
    I'm also unable to establish a link to any PIA VPN server via pfSense after updating the CA certificate.The connection doesn't accept the CA certificate. From my sys logs:

    TimeProcessPIDMessage
    Jul 11 22:05:13openvpn67502VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, em[email protected]
    Jul 11 22:05:13openvpn67502OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Jul 11 22:05:13openvpn67502TLS_ERROR: BIO read tls_read_plaintext error
    Jul 11 22:05:13openvpn67502TLS Error: TLS object -> incoming plaintext read error
    Jul 11 22:05:13openvpn67502TLS Error: TLS handshake failed
    Please post the following settings:

    System > Cert. Manager > CA and Certificate
    VPN > OpenVPN > Client
  • Blade_RunnerBlade_Runner
    nomofica said:
    I'm also unable to establish a link to any PIA VPN server via pfSense after updating the CA certificate.The connection doesn't accept the CA certificate. From my sys logs:

    TimeProcessPIDMessage
    Jul 11 22:05:13openvpn67502VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, [email protected]
    Jul 11 22:05:13openvpn67502OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Jul 11 22:05:13openvpn67502TLS_ERROR: BIO read tls_read_plaintext error
    Jul 11 22:05:13openvpn67502TLS Error: TLS object -> incoming plaintext read error
    Jul 11 22:05:13openvpn67502TLS Error: TLS handshake failed
    Please post the following settings:

    System > Cert. Manager > CA and Certificate
    VPN > OpenVPN > Client
  • piaabopiaabo
    Running in linux here, I get the stronger 256 encryption working with original certificate...remembering it's udp1197. the newly downloaded ovpn files changed to udp1198 from 1194. server connects but no internet with either new or old cert.
  • nomoficanomofica

    Blade_Runner said:
    nomofica said:
    I'm also unable to establish a link to any PIA VPN server via pfSense after updating the CA certificate.The connection doesn't accept the CA certificate. From my sys logs:

    TimeProcessPIDMessage
    Jul 11 22:05:13openvpn67502VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=US, ST=OH, L=Columbus, O=Private Internet Access, CN=Private Internet Access CA, [email protected]
    Jul 11 22:05:13openvpn67502OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Jul 11 22:05:13openvpn67502TLS_ERROR: BIO read tls_read_plaintext error
    Jul 11 22:05:13openvpn67502TLS Error: TLS object -> incoming plaintext read error
    Jul 11 22:05:13openvpn67502TLS Error: TLS handshake failed
    Please post the following settings:

    System > Cert. Manager > CA and Certificate
    VPN > OpenVPN > Client

    I reconfigured everything to match the instructions given in PIA's official guide on pfSense. My current configuration is identical to it, including the CA and internal certificates.
  • OmniNegroOmniNegro
    Grab the new certificates.
    https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip
  • nomoficanomofica
    OmniNegro said:
    Grab the new certificates.
    https://www.privateinternetaccess.com/openvpn/openvpn-strong.zip
    I've used the certificates in both the recommended default and strong configurations. The error remains the same, and I'm only able to connect (for maybe an hour) with the old CA certificate.
  • OmniNegroOmniNegro
    Sorry. I have no idea what is wrong then.
  • doaksdoaks
    edited July 2016
    Hi guys,

    Sorry for the trouble here. The new certificates should work with the new port and encryption cipher settings. That is, port 1198 and encryption cipher AES-128-CBC for the standard settings/certificates, and port 1197 and encryption cipher AES-256-CBC for the strong settings/certificates.

    We're currently updating our instructions to note these changes. If you are using the appropriate port/cipher/certificate settings above and still having troubles, feel free to reach out to us with a ticket here so we can take a closer look:
    https://helpdesk.privateinternetaccess.com/hc/en-us/requests/new?ticket_form_id=300308
  • legalinglelegalingle
    Thank you. I have the 2048 cert working just fine now with the new instructions.
  • ColdHandsColdHands
    doaks said:
    Hi guys,

    Sorry for the trouble here. The new certificates should work with the new port and encryption cipher settings. That is, port 1198 and encryption cipher AES-128-CBC for the standard settings/certificates, and port 1197 and encryption cipher AES-256-CBC for the strong settings/certificates.

    We're currently updating our instructions to note these changes. If you are using the appropriate port/cipher/certificate settings above and still having troubles, feel free to reach out to us with a ticket here so we can take a closer look:
    https://helpdesk.privateinternetaccess.com/hc/en-us/requests/new?ticket_form_id=300308
    The pfSense guide is still outdated and doesn't reflect the new port numbers. Took me a few hours of digging to find this post to make it work. It would be great if you all could update the guide.
  • godyourestupidgodyourestupid
    edited February 2017
    It took me some time also to find the right set up to make it work.
  • naterade21naterade21
    Be sure you have NTP on, or at least the correct time set! This is the single thing that stopped me! 
Sign In or Register to comment.