Error: peer certificate verification failure

[Llmt]

I am having a problem when i try to use VPN through open vpn app. (iPhone and iPad)
It says “connection failed. There was an error attempting to connect to the selected server. Error message: peer certificate verification failure.”
Could you indicate me how to solve this problem?
Until yesterday, it has worked without any problem.
Thanks in advance.

[sisa22]

Same problem here. New ios updated trickers the errors?

[Llmt]

I don’t think so cuz I did the update after finding this problem.
And the update did not change anything.
Now the app doesn’t show the error message, but I still can’t use any VPN.

[cedar]

It seems that the VPN Gate service certificate has been renewed.
This issue may be a result of that.

[Llmt]

Now I can use VPN without any problem

[lamoz]

I do experiences same problem.

Is there solution yet?

Android: not working
iOS: not working
PC: works just fine

Lest is Most recent attempt to connect vpngate

—————
Log

[Dec 20, 2022, 11:02:14] START CONNECTION

[Dec 20, 2022, 11:02:14] ----- OpenVPN Start -----
OpenVPN core 3.git::081bfebe ios arm64 64-bit

[Dec 20, 2022, 11:02:14] OpenVPN core 3.git::081bfebe ios arm64 64-bit

[Dec 20, 2022, 11:02:14] Frame=512/2048/512 mssfix-ctrl=1250

[Dec 20, 2022, 11:02:14] UNUSED OPTIONS
5 [resolv-retry] [infinite]
6 [nobind]
7 [persist-key]
8 [persist-tun]
10 [verb] [3]

[Dec 20, 2022, 11:02:14] EVENT: RESOLVE

[Dec 20, 2022, 11:02:14] Contacting 218.221.110.198:1748 via TCPv4

[Dec 20, 2022, 11:02:14] EVENT: WAIT

[Dec 20, 2022, 11:02:14] Connecting to [218.221.110.198]:1748 (218.221.110.198) via TCPv4

[Dec 20, 2022, 11:02:14] EVENT: CONNECTING

[Dec 20, 2022, 11:02:14] Tunnel Options:V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client

[Dec 20, 2022, 11:02:14] Creds: UsernameEmpty/PasswordEmpty

[Dec 20, 2022, 11:02:14] Peer Info:
IV_VER=3.git::081bfebe
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=30
IV_CIPHERS=AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305:AES-128-CBC
IV_IPv6=1
IV_AUTO_SESS=1
IV_GUI_VER=net.openvpn.connect.ios_3.3.2-5086
IV_SSO=webauth,openurl,crtext


[Dec 20, 2022, 11:02:14] VERIFY FAIL: depth=1, /C=US/O=Let's Encrypt/CN=R3, signature: RSA-SHA256 [unable to get local issuer certificate]

[Dec 20, 2022, 11:02:14] Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

[Dec 20, 2022, 11:02:14] EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed [ERR]

[Dec 20, 2022, 11:02:14] EVENT: DISCONNECTED

[Dec 20, 2022, 11:02:14] EVENT: CORE_THREAD_DONE

[Dec 20, 2022, 11:02:14] EVENT: DISCONNECT_PENDING

[Dec 20, 2022, 11:02:14] Raw stats on disconnect:
BYTES_IN : 3351
BYTES_OUT : 345
PACKETS_IN : 3
PACKETS_OUT : 3
SSL_ERROR : 1
CERT_VERIFY_FAIL : 1


[Dec 20, 2022, 11:02:14] Performance stats on disconnect:
CPU usage (microseconds): 27981
Network bytes per CPU second: 132089
Tunnel bytes per CPU second: 0

[sisa22]

Now I can use VPN without any problem

but how you solve this ty in advance

[sisa22]

Oh, mine works now too ...

[mso]

Are you experiencing the same problem again?
How can you prevent it from happening again?

[Takagiri]

I got "certificate verification failure" message today.
Please help.

[WuttiGate2006]

Now we can't connect to VPN either. Failed server certificate status I am a user from Thailand. If it works then let me know

[ishan_D]

I am facing similar issue but in my case it's server certificate. Following is the error log:

Code: Select all

stdout: 2023-03-18 12:12:41 OpenVPN 2.5.1 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on May 14 2021
2023-03-18 12:12:41 library versions: OpenSSL 1.1.1n  15 Mar 2022, LZO 2.10
open_vpn_utl stdout: 2023-03-18 12:12:41 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
open_vpn_utl stdout: 2023-03-18 12:12:41 TCP/UDP: Preserving recently used remote address: [AF_INET]163.182.174.159:8080
open_vpn_utl stdout: 2023-03-18 12:12:41 Socket Buffers: R=[180224->180224] S=[180224->180224]
open_vpn_utl stdout: 2023-03-18 12:12:41 UDP link local: (not bound)
open_vpn_utl stdout: 2023-03-18 12:12:41 UDP link remote: [AF_INET]163.182.174.159:8080
open_vpn_utl stdout: 2023-03-18 12:12:41 TLS: Initial packet from [AF_INET]163.182.174.159:8080, sid=656ce834 4337ac03
open_vpn_utl stdout: 2023-03-18 12:12:42 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
open_vpn_utl stdout: 2023-03-18 12:12:42 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
open_vpn_utl stdout: 2023-03-18 12:12:42 VERIFY ERROR: depth=0, error=certificate has expired: CN=opengw.net, serial=270090734479764202226505740823661288419396
open_vpn_utl stdout: 2023-03-18 12:12:42 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
open_vpn_utl stdout: 2023-03-18 12:12:42 TLS_ERROR: BIO read tls_read_plaintext error
open_vpn_utl stdout: 2023-03-18 12:12:42 TLS Error: TLS object -> incoming plaintext read error
2023-03-18 12:12:42 TLS Error: TLS handshake failed
open_vpn_utl stdout: 2023-03-18 12:12:42 SIGUSR1[soft,tls-error] received, process restarting

open_vpn_utl stdout: 2023-03-18 12:12:42 Restart pause, 5 second(s)
open_vpn_utl stdout: 2023-03-18 12:12:47 All connections have been connect-retry-max (1) times unsuccessful, exiting

Anyone aware how to fix or report this to get the servers fixed?

[groundzero]

Only the person that manages the server certificate can fix this. As a user, your only option is to temporarily disable certificate verification until this issue is fixed (or forever if nobody cares anymore). OpenVPN client doesn't allow you to disable certificate verification, so just use another client. One such client is SoftEther VPN Client. Just be aware that It's utter crap compared to OpenVPN client, and its only advantages are this (disabling certificate verification) and the ability to select a virtual hub.

[iddqd]

i have the same problem now

[mso]

Only the person that manages the server certificate can fix this. As a user, your only option is to temporarily disable certificate verification until this issue is fixed (or forever if nobody cares anymore). OpenVPN client doesn't allow you to disable certificate verification, so just use another client. One such client is SoftEther VPN Client. Just be aware that It's utter crap compared to OpenVPN client, and its only advantages are this (disabling certificate verification) and the ability to select a virtual hub.

I see, unfortunately, there is very little that can be done on the part of the user. I hope I won't have the same problem again in 3 months.

While I couldn't connect, I was wondering if I could use the `tls-cipher "DEFAULT:@SECLEVEL=0"` setting that I found on a search engine, but it is easier to use SoftEther than that. I'll keep that in mind.

[groundzero]

Well, they renewed the certificate so everything should be working fine now. The certificate expires on June 15 2023.

As for --tls-cipher, that wouldn't help because it's just a list of TLS ciphers to use. As I said, only the person who manages the server certificate is able to fix things like this.