SoftEther VPN User Forum

Hi all -

Has anyone had a similar problem after installing an SSL cert for SSTP?

I have a cert issued by geotrust installed, and SSTP works great, but after installing the geotrust cert on the server, it borks the openvpn connection - tried downloading a new openvpn config after installing the geotrust cert, but it's not working.

Funny thing is, openvpn works fine with the default cert on the server that's created during server install. Just not with one issued by a CA

Any pointers in the right direction would be greatly appreciated.

Further to this, looking at the logs the connection attempt dies right here:

Nov 29 20:00:48: TLS Error: TLS object -> incoming plaintext read error
Nov 29 20:00:48: TLS Error: TLS handshake failed
Nov 29 20:00:48: SIGUSR1[soft,tls-error] received, process restarting

Did you add Geotrust Root CA cert? http://www.geotrust.com/resources/root-certificates/
And check your remote (config) and cert CN are the same.

btw, in your log there should be something like:

TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Why didn't you post the full error log here but just a part of it?

CN's are the same.

But add the root cert to where? Client config file? Didn't see anywhere on the server admin to add it.

SE has a problem (or a bug) working with chained certificates. Is your cert of chained type?

Hi there - thanks for your help. No, it's just a plain-jane geotrust cert.

I do see an area for the CA file in the client config file. Is this where the geotrust root cert goes?

Yes, client's config staring from <ca> till <ca> is a root cert.

I have the geotrust global ca in there now in addition to the server generated cert - see screenshot at http://screencast.com/t/cawy22pNVk5I

But I get this error trying to connect:

VERIFY ERROR: depth=0, error=unable to get local issuer certificate: . . . . .
Dec 03 10:51:28: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Do both certs need to be in inline format? Any ideas?

Replace <ca>...<ca> with the next string:

ca your_root_cert_bundle_in_pem_format and write back with the log result.