This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN ssl fails after certificate renewal

We have renewed the company's wildcard certificate and installed it as certificate authority certificate one the UTM firewall.

We noticed that the firewall has regenerated all user's certificate based on the updated wildcard certificate.

Since then no one is able to conenct via SSL VPN with the following error in the client logs

Mon Mar 29 20:08:24 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Mar 29 20:08:24 2021 VERIFY ERROR: depth=1, error=unable to get issuer certificate: /C=US/O=DigiCert Inc/CN=GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
Mon Mar 29 20:08:24 2021 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Mon Mar 29 20:08:24 2021 TLS Error: TLS object -> incoming plaintext read error
Mon Mar 29 20:08:24 2021 TLS Error: TLS handshake failed
Mon Mar 29 20:08:24 2021 SIGUSR1[soft,tls-error] received, process restarting

We have added all the Public Certificate chain certificates in the firewall as well, with no luck

We tried to remove the users from the firewall and have them recreated by logging into the user portal and downloading the vpn config file again,but the error still happen

Anyone has come through this before ?

thanks



This thread was automatically locked due to age.
  • Hello Stefano,

    if you exchanged the SSL-Certificate  in the SSL-VPN config (see picture) as well, this behaviour is as designed.

    You can try to switch back this setting to the certificate you used in SSL-configuration before.

    Otherwise you have to handout the new SSL-VPN configuration to all of your users.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    Could you please confirm that you've selected the new renewed wildcard certificate as 'Server certificate' under Remote Access > SSL > Advanced?

    Also, share the output of openvpn.log from the shell.

    ==> Login to shell, run below command and try to connect SSL VPN client

    root# tail -f /var/log/openvpn.log

  • Hello

    we decided to regenerate the certificate used for VPN and asked the users to update the client configuration

    thanks