Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenVPN SSL Peer Certificate Verification Error

Hi,

We have a XGS2300 (SFOS 19.5.3 MR-3-Build652 with an SSL Remote Access VPN with OpenVPN clients.

Not sure if this was a Sophos or OpenVPN issue but I had to start somewhere.

I had a user call last last night with a Peer Certificate Verification Error. When I tested my connection, I got the same error. Connected to Sophos Central, looked around, all looked ok. I hadn't changed anything and actually my own VPN was working fine earlier in the day. We did renew our certificate recently but this was a couple weeks ago. The previous (now expire cert) wasn't being used that I know of but did expire yesterday.

I changed the VPN cert to the appliance cert in a panic, same result. Changed it back again. A couple minutes later I tested and it worked. No idea why. As far as I know, I changed nothing.

I assume the expiring old cert did something, but for the life of me I can't figure out why it worked, then didn't, then did again.

Thanks,

Jeff



This thread was automatically locked due to age.
  • Hello  ,

    Thank you for reaching out to the community, in OpenVPN "Peer certificate verification failure" this error usually occurs if the client certificate failed to validate the certificate presented by the VPN server or if certificate is not trusted by the client any mismatch between the certificate and the server hostname. To resolve this issue, check the certificate presented by the VPN server is signed by a trusted root CA.

    Thanks & Regards,
    _______________________________________________________________

    Vivek Jagad | Team Lead, Technical Support, Global Customer Experience

    Log a Support Case | Sophos Service Guide
    Best Practices – Support Case  | Security Advisories 
    Compare Sophos next-gen Firewall | Fortune Favors the prepared
    Sophos Community | Product Documentation | Sophos Techvids | SMS
    If a post solves your question please use the 'Verify Answer' button.

  • I think I know what happened. I put the new cert on the firewalls and it worked fine for the local web UI, so I assumed all was good. But the VPN cert is a separate setting. I'm guessing it was still pointing at the old one, then when I did my panicked  juggling and set it back to the way it was, I pointed it at the new one then all worked.

    Next year I'll manually update the SSL VPN cert after installing the new one and see what happens.

    Thanks!

  • I had few clients with exactly the same problem. My workaround was on OpenVPN client --> Settings --> Advanced settings --> Security = Allow INSECURE cryptographics mechanisms. 

  • Was this changes required for a 3rd party certificate or self signed certificate or with Appliance certificate?

  • Among 30 SSLVPN users with Android clients, only few of them had problems. It was Appliance certificate, default install, it is valid till 2038, self-signing CA also.

    Weird was, customer called, I tried on my Samsung s21, and it worked. Then I tried another VPN user oups...problem. Compared working and non-working user's cerrificates and could not find differences. 

    So I came up with mentioned workaround. I am not paid well enough to dig into problem in depth.