We created a root crtificate, which unfortunately expired today in Azure VPN, I regenerated the certificate, upload it to Azure VPN, regenerated a client certificate and se up the OpenVPN configuration file. (After downloaadin the "VPN Client" from the Azure portal.
However, I keep getting "Peer certification verification failure" and I can't seem to understand why. Everything I read suggests that it is as there is a mismatch between the server and the client, however, I must be making the same mistakes, as I have followed the instructions below to generate the root certs, and the client certs::
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site#cer
I've used the following open-ssl command to generate convert to a PEM file:
"C:\Program Files\OpenSSL-Win64\bin\openssl" pkcs12 -in child.pfx -out child.pem -clcerts
Then followed this for creating the OVPN file for the iOS device. (I have downloaded the OpenVPN Client to my desktop machine to make it easier to test)
https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-cert-mac
I have done this more than once, as well as having "Reset" the VPN gateway, just to try and make sure that it isn't something weird going on.
Does anyone have any ideas as to where I am going wrong?
In case anyone comes across this, there are two things that I have done to fix this issue:
I ended up entering the name of the Root Certificate into the azure settings (the cn=psroot2025 part)
I had been using a windows version of OpenVPN to test the connections were working, by the looks of it, some versions of OpenVPN return the "Peer certification verification failure" error, although this is not the case. You need to download version 2.5.4 from https://openvpn.net/community-downloads/ instead of the latest and this seems to not have the same issue (I had originally installed vrsion 2.5.7.)
Hope that helps...
Related
First of all, a rookie, related to VPN/Security issues, so really
forgive me for whatever error I make while describing my problem,
and hope I'm able to make it clear.
Our contractors changed AVIATRIX-OKTA VPN for AWS-VPN with OKTA
Authentication, they send as an .ovpn file, that works ok for
Windows/MAC using AWS-Vpn-Client application software, but a
couple of us using Linux boxes (Ubuntu specifically) run the
described method in AWS which is: openvn config-file.ovpn,
and it does not work.
It simply asks for usr/pwd an then it fails with auth error (we use our OKTA credentials)
, seems nothing is configured to go to OKTA, open a browser or whatever it needs to do.
As an aside note, we can connect without any trouble to our k8s cluster using OKTA
client libraries, no sure is this is useful or not, just in case.
The .ovpn file looks like this
client
dev tun
proto tcp
remote random.cvpn-endpoint-xxxxxx.yyy.clientvpn.us-west-2.amazonaws.com 443
remote-random-hostname
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
verb 5
<ca>
....
....
....
</ca>
auth-user-pass
auth-federate
auth-retry interact
auth-nocache
reneg-sec 0
An interesting thing to notice is that openvpn complains about auth-federate
seems not to recognize it, so I started using gnome network-manager which seems
to accept this configuration, but getting Auth error too.
After this I tried openvpn3 which didn't complain about configuration,
but still getting the same error.
I also tried adding TOPT token to password and the same problem
Any help on how to configure it, or just know if it is possible, will be greatly welcome
, seems there is very little information around this in the net
and we are really stuck on this, we are willing not to change OS or machines as they
are asking to, or using VM just to connect.
Thanks in advance,
We have tried the solution mentioned in the following URL and it worked for us:
https://github.com/samm-git/aws-vpn-client/blob/master/aws-connect.sh
The detailed working of this solution is explained in :https://github.com/samm-git/aws-vpn-client/blob/master/aws-connect.sh.
We have made few changes in the configuration files to make it work.
Removed the following lines in vpn.conf.
auth-user-pass
auth-federate
Made the following change in line 38 in the script aws-connect.sh.
open "$URL"
to
xdg-open "$URL"
Finally I got an answer from AWS people:
If the Client VPN endpoint is configured using SAML-based
authentication (such as Okta), then you have to use the AWS-provided
client to connect:
https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/client-authentication.html#saml-requirements
And the promise to update del client documentation with a WARNING about
this.
I am currently trying to deploy a NuGet package to our local Nexus server from a Linux build machine (dotnet core project)
However, the Nexus server is running on HTTPS with a company domain certificate which is not recognised by my build machine.
When I run nuget push I get the following error:
Pushing App.1.0.0.nupkg to 'https://v-nexus/repository/nuget/'...
PUT https://v-nexus/repository/nuget/
An error was encountered when fetching 'PUT https://v-nexus/repository/nuget/'. The request will now be retried.
Error: TrustFailure (The authentication or decryption has failed.)
The authentication or decryption has failed.
Invalid certificate received from server. Error code: 0xffffffff800b010a
PUT https://v-nexus/repository/nuget/
An error was encountered when fetching 'PUT https://v-nexus/repository/nuget/'. The request will now be retried.
Error: TrustFailure (The authentication or decryption has failed.)
The authentication or decryption has failed.
Invalid certificate received from server. Error code: 0xffffffff800b010a
PUT https://v-nexus/repository/nuget/
Error: TrustFailure (The authentication or decryption has failed.)
The authentication or decryption has failed.
Invalid certificate received from server. Error code: 0xffffffff800b010a
I have tried:
Installing the server certificate globally (using update-ca-certificates)
Installing the certificate using certmgr
Is there any other way that I have missed, or is this a known issue using NuGet in Linux. (I am using docker containers so don't want the solution to be "use windows"!) This is forming part of our automated build system so I am limited to Linux docker containers.
One of my colleges, running Windows is able to push the package without any issues, so I know it's not an issue with the server.
This is a very old question but I came across it looking for an answer to this issue.
The problem seems to be Nuget, under Mono, is broken.
It's not really an answer but hopefully it helps somebody else.
I have tried to create VPN connection in my windows 8.1 machine.
I have followed the steps mentioned in the setup. While connecting Its shows the error message as:
"A certificate could not be found that can be used with this
Extensible Authentication Protocol. (Error 798)".
How to resolve this issue. Thanks in advance.
This typically means that the client certificate is not installed on the Windows machine you are trying to connect from.
On the client machine, please open "certmgr" from command prompt and verify that the client certificate (created/signed by the root certificate) is installed on the machine.
A couple more things to check or verify:
The P2S root cert, the one you uploaded to Azure, must be in the
machine's trusted root store in certmgr
Delete the re-install/import the client cert again, please ensure you
do NOT check the "Enable strong private key protection. ..."
(It's a long shot but ...) Check if the following regkey is set to 1:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\EAP\13
\SelectSelfSignedCert
If it still fails, collect tracing for further debugging from an elevated command prompt:
"netsh ras diag se tr en"
repro the issue (failed connect)
"netsh ras diag se tr dis"
Share/send the contents of your Windows\tracing folder
[Edit]
Just found another link with very extensive instructions to try:
https://www.tectimes.net/how-to-microsoft-azure-como-solucionar-el-error-798-a-certificate-could-not-be-used-with-this-extensible-authentication-protocol-en-windows-8-1-en-una-vpn-hacia-azure/
(In Spansh, you will need to translate the page.)
Thanks,
Yushun [MSFT]
I am using the following web2py slice in attempt to use https for a service worker function in a page.
http://www.web2pyslices.com/slice/show/1507/generate-ssl-self-signed-certificate-and-key-enable-https-encryption-in-web2py
I have tried opening web2py with the following line (with and without [-i IP and -p PORT]):
python web2py.py -c myPath/ssl_certificate.crt -k myPath/ssl_self_signed.key -i 127.0.0.1 -p 8000
but https is declared 'not private' and is crossed out. Because of this, I am getting a SSL certificate error when the registration of the service worker is attempted.
Please indicate what is going wrong or whether more information is needed
You mention "https is declared 'not private' and is crossed out". This has to do with browsers disliking not trusted (self-signed) certificates, because that's what trust is all about. If any hacker could just make up a certificate and the https client wouldn't respond with at least a frown, you could still be hacked or sniffed without noticing. Since you don't mention any other error, I assume you get otherwise valid results from the web2py server?
If so, you have setup your self-signed certificate well. If you don't get any valid html response (outside your browsers complaint, of course), you still have an issue with the setup.
If your service worker won't accept the certificate, what you can do (in a test environment at least) is import the self-signed certificate into the machine or service worker certificate repository. The process differs per OS and version.
Hope this helps. If it doesn't, please provide more detail.
The best way to use ssl with web2py is use of the deployment recipes with prodution-grade webservers like apache, nginx or Lighttpd.
Any of the mentioned scripts create a self-signed certificate, and then, you have to fix the generated server config files to a real certificate.
You can buy a real ssl certificate from any of many resellers or get for free from Let's Encript, if you have a real IP, like in a VPS or server.
A simple way to fix the config files is create a simbolic link from the real certificate to the one mentioned in the server config file.
To just test your service worker in your machine or a internal test server, just use a non-ssl port, or like Remco sugested, import the self-signed certificate to client environment.
Can anyone please help me to fix the below issue?
I am using libnss to implement tls connection between a server and a client,
Both are being run on a single machine.
First I tried to run ./certutil exe, I got the below output on console
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Then I tried running the server that is ./selfserv , but I got one error shown below, here -n (nickname) I am passing as SSL.
Is that right ? or what exactly going wrong here?
selfserv: Can't find certificate SSL
Also please explain me how to execute the server and client using mozilla nss with simple steps