Cosy connection openvpn nsCertType ERROR

Ewon Support
#1

Hi support team,
we are trying to connect ewon cosy to a other Openvpn server.

firmware version is Firmware: 14.6s0 (#2118)

client configuration is

client
dev tun
proto udp
remote 208.87.129.21 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /usr/ca.crt
cert /usr/cart240.crt
key /usr/cart240.key
ns-cert-type server
tls-exit
cipher BF-CBC
verb 6
;mute 20

server configuration is


port 1194
proto udp
dev tun
ca ca.crt
cert cartserver10.crt
key cartserver10.key  # This file should be kept secret
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
cipher BF-CBC
tls-cipher DEFAULT:@SECLEVEL=0
data-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:BF-CBC

tls-version-min 1.0
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 6
explicit-exit-notify 1

but currentrly we receive from cosy this errors

    TLS Error: TLS handshake failed
    TLS Error: TLS object → incoming plaintext read error
    TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
    VERIFY nsCertType ERROR: /CN=cartserver10, require nsCertType=SERVER

we are unable to understand which kind of issue we are facing
Any ideas as to why the Ewon can’t connect to openvpn?

Thanks

#2

Which directions did you follow to set this up?

We have an app note for setting up the Ewon with OpenVPN on Ubuntu/Debian here.

We also have these instructions for pfsense:
pfSense OpenVPN with Ewon setup.pdf (328.6 KB)

For more in depth support for this issue, you should contact your local Ewon support team at support.hms-networks.com.

#3

hi kyle
I follow your guide but still have the same error.

#4

Certificate verification is not working. It doesn’t look like you included a path to the certs on the server, not sure if that’s related or not, but I’d highly recommend you open a support case at support.hms-networks.com. Include a backup of the Ewon with support files, the server config file, and logs from the server.