This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TLS Handshake Failed in SSL VPN access

I am receiving this error when trying to connect via SSL VPN to the portal.

2017-11-25 21:52:18 TCPv4_CLIENT link remote: [AF_INET]XX.XX.XX.XX:443
2017-11-25 21:52:18 MANAGEMENT: >STATE:1511668338,WAIT,,,
2017-11-25 21:52:18 MANAGEMENT: >STATE:1511668338,AUTH,,,
2017-11-25 21:52:18 TLS: Initial packet from [AF_INET]XX.XX.XX.XX:443, sid=7273b871 8de32caf
2017-11-25 21:52:18 VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=NA, O=GlobalSign nv-sa, CN=AlphaSSL CA - SHA256 - G2
2017-11-25 21:52:18 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2017-11-25 21:52:18 TLS_ERROR: BIO read tls_read_plaintext error
2017-11-25 21:52:18 TLS Error: TLS object -> incoming plaintext read error
2017-11-25 21:52:18 TLS Error: TLS handshake failed
2017-11-25 21:52:18 Fatal TLS error (check_tls_errors_co), restarting
2017-11-25 21:52:18 SIGUSR1[soft,tls-error] received, process restarting
2017-11-25 21:52:18 MANAGEMENT: >STATE:1511668338,RECONNECTING,tls-error,,
2017-11-25 21:52:18 MANAGEMENT: CMD 'hold release'

I currently am using a public DNS record on Port 443. I have a CA signed wildcard domain which I'm using
for my VPN certificate. *.domain.com. My VPN is: vpn.domain.com.
I also use this for my portal / reverse proxy and it is verified by browser and a valid certificate.

The above error occurs when I attempt to use this same certificate in my SSL VPN configuration.
If I use a user signed certificate or my self-signed webadmin cert; the SSL connects fine.

Any help is appreciated!



This thread was automatically locked due to age.
Parents
  • I suggest that you repeat the download of VPN SSL components from the User Portal or Web Admin pages.

    SSL VPN should find a client certificate that represents you, one that is issued by UTM under its own VPN CA.   "unable to get issuer certificate" suggests to me that your user certificate is not found.

    Beyond that, I am stumped.  SSL VPN works fine on my configuration, which has always used a public CA for the UTM address.

Reply
  • I suggest that you repeat the download of VPN SSL components from the User Portal or Web Admin pages.

    SSL VPN should find a client certificate that represents you, one that is issued by UTM under its own VPN CA.   "unable to get issuer certificate" suggests to me that your user certificate is not found.

    Beyond that, I am stumped.  SSL VPN works fine on my configuration, which has always used a public CA for the UTM address.

Children
No Data