This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VERIFY X509NAME ERROR on remote SSL connection

Hello9,

i'm having an issue on a customer in which we can't connect using SSL VPN AT ALL.

logs shows:

Mon Sep 14 11:16:36 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Mon Sep 14 11:16:37 2020 VERIFY OK: depth=1, C=ar, L=Esquel, O=ttttt "name" Ltda., CN=ttttt "name" Ltda. VPN CA, emailAddress=sssssssssss
Mon Sep 14 11:16:37 2020 VERIFY X509NAME ERROR: C=ar, L=Esquel, O=ttttt "name" Ltda., CN=firewall, emailAddress=sssssssss, must be C=ar, L=Esquel, O=ttttt 
Mon Sep 14 11:16:37 2020 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Mon Sep 14 11:16:37 2020 TLS Error: TLS object -> incoming plaintext read error
Mon Sep 14 11:16:37 2020 TLS Error: TLS handshake failed

I'm baffled as to why this is occuring, test i've done which all fail the same way:

  • Using IP address of one of the WAN interfaces on the "override hostname"
  • Regenerating the local certificate authority
  • using different WAN links to not share the port with user portal
  • Using a public hostname

¿Could it be that since the company name has quotes in it that's breaking the verification? because the VERIFY X509NAME ERROR line in the log is truncated JUST before the first quote after the O= value

UTM is running 9.703, it's configured with a nonpublic system hostname as "hostname".



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to the Community! 

    Did you re-download the configuration file from the user portal after regenerating the default certificate? If not, please re-download the configuration and try to connect. 

    Could you please provide the configuration screenshots for the SSL VPN settings, default certificate via PM so that I can verify the configuration?

    Thanks,

  • Yes i redownloaded the configuration file after every change.

    I did some test and the definitive problem is the quotes in the company name, i removed the quotes(and trailing period) and now it works perfectly.

    Here's the SSL config:

Reply Children
No Data