The Client Log Contains "peer Certificate Verification Failure"

Applicable Client

Windows OpenVPN Connect

Symptom

A client cannot connect to a P2C VPN gateway, and the log contains the following error information:

peer certificate verification failure

Possible Causes

The certificate chain of the server certificate is incomplete. As a result, the client cannot verify the validity of the CA certificate in the configuration file.
The length of the CA certificate chain in the client configuration exceeds 3.

Procedure

Check whether the length of the CA certificate chain in the client configuration is too long.

Open the client_config.ovpn file using Notepad or Notepad++.
Check the number of CA certificates in the client configuration file.
- If the number of CA certificates does not exceed 3, go to step 2.
- If the number of CA certificates exceeds 3, the certificate chain length is too long and you need to generate new CA certificates. For details, see Using Easy-RSA to Issue Certificates (Server and Client Sharing a CA Certificate).

Log in to the management console.
Click in the upper left corner and select the desired region and project.
Click in the upper left corner, and choose Networking > Virtual Private Network.
In the navigation pane on the left, choose Virtual Private Network > Enterprise – VPN Gateways.
Click the P2C VPN Gateways tab, locate the target VPN gateway, and click View Server in the Operation column.

Upload a CA certificate.

On the Server tab page, choose Certificate authentication from the Client Authentication Mode drop-down list box, and click Upload CA Certificate.

Set parameters as prompted.

**Table 1** Parameters for uploading a CA certificate
Parameter	Description	Example Value
Name	This parameter can be modified.	ca-cert-xxxx
Content	Use a text editor (for example, Notepad++) to open the signature certificate file in PEM format, and copy the certificate content to this text box. NOTE: It is recommended to use a certificate with a strong cryptographic algorithm, such as RSA-3072 or RSA-4096. Certificates using the RSA-2048 encryption algorithm have risks. Exercise caution when using such certificates.	-----BEGIN CERTIFICATE----- Certificate content -----END CERTIFICATE-----

Click OK.

Delete the incorrect CA certificate.
1. On the Server tab page, click Delete in the Operation column of the incorrect client CA certificate.
2. In the Delete CA Certificate dialog box, click OK.
Download the new client configuration file.
The downloaded client configuration file is client_config.zip.
Decompress client_config.zip to a specified directory, for example, D:\.
After the decompression, the client_config.ovpn and client_config.conf files are generated.
Open the client_config.ovpn file using Notepad or Notepad++.
Add the client certificate and private key to the file.
Enter the client certificate content and the corresponding private key in between <cert></cert> and <key></key> tags, respectively. An example is as follows:
```
<cert>
-----BEGIN CERTIFICATE-----
Client certificate content
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
Client private key
-----END PRIVATE KEY-----
</key>
```
Save the .ovpn configuration file.
Start the OpenVPN client.
Import the new client configuration file.
Use the client to reconnect to the VPN gateway.

Check whether the server certificate chain is complete.
1. Open the client_config.ovpn file using Notepad or Notepad++.
2. Check the number of CA certificates in the client configuration file.
3. Double-click each CA certificate in client configuration file, click the Certification Path tab, and check whether the issuers and subjects of the certificates form a complete certificate chain.
  - If the issuer and subject of the top-level certificate are the same, the certificate chain is complete, as shown in Figure 1.
    Figure 1 Complete CA certificate chain
  - If the issuer and subject of the top-level certificate are different, the certificate chain is incomplete. Perform the following operations to supplement the certificate chain information:
  1. Create a Notepad file.
  2. Copy the CA certificate content in client_config.ovpn to the new Notepad file. The format of the certificate content is as follows:
```
<ca>
-----BEGIN CERTIFICATE-----
CA certificate
-----END CERTIFICATE-----
</ca>
```
  3. Save the file and name it ca.crt.
  4. Double-click the CA certificate, click the Certification Path tab, and view the upper-level certificate of the CA certificate.
  5. Select the upper-level certificate, and click View Certificate. A new window containing the upper-level certificate is displayed.
  6. Click the Details tab, and click Copy to File.
  7. Click Next.
  8. Select Base-64 encoded and click Next.
  9. Enter a file name, for example, root-ca.cer.
  10. Click Next and then Finish.
    If the configuration file contains two CA certificates, export the upper-level certificates of the two CA certificates.
  11. Open the root-ca.cer and client_config.ovpn files using Notepad or Notepad++.
  12. Copy the content of the upper-level certificate below the existing CA certificate in the client_config.ovpn file.
    The format of the certificate content is as follows:
```
-----BEGIN CERTIFICATE-----
Existing CA certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Upper-level CA certificate
-----END CERTIFICATE-----
```
  13. Save the .cer certificate file.
  14. Start the OpenVPN client.
  15. Import the new client configuration file.
  16. Use the client to reconnect to the VPN gateway.
  17. Press Win+R and enter cmd to open the command window.
  18. XX.XX.XX.XX indicates the private IP address of the ECS to be connected. Replace it with the actual private IP address.
    
    If information similar to the following is displayed, the client can communicate with the ECS:
```
64 bytes from XX.XX.XX.XX: icmp_seq=1 ttl=63 time=1.27 ms
64 bytes from XX.XX.XX.XX: icmp_seq=2 ttl=63 time=1.36 ms
64 bytes from XX.XX.XX.XX: icmp_seq=3 ttl=63 time=1.40 ms
64 bytes from XX.XX.XX.XX: icmp_seq=4 ttl=63 time=1.29 ms
64 bytes from XX.XX.XX.XX: icmp_seq=5 ttl=63 time=1.35 ms
64 bytes from XX.XX.XX.XX: icmp_seq=6 ttl=63 time=1.52 ms
```