Help Center/ Virtual Private Network/ Troubleshooting/ P2C VPN/ Client Connection Failures/ The Client Log Contains "OpenSSL: error:0A000086:SSL routines::certificate verify failed"
Updated on 2024-12-10 GMT+08:00

The Client Log Contains "OpenSSL: error:0A000086:SSL routines::certificate verify failed"

Applicable Client

  • Linux
  • Windows OpenVPN GUI
  • Windows OpenVPN Connect

Symptom

A client cannot connect to a P2C VPN gateway, and the log contains the following error information:

OpenSSL: error:0A000086:SSL routines::certificate verify failed

Possible Causes

The server certificate used by the VPN gateway does not contain the Extended Key Usage attribute. As a result, certificate verification fails.

Procedure

  1. Check and verify that the generated server certificate contains the Extended Key Usage attribute, as shown in Figure 1.
    Figure 1 Extended Key Usage
    • A server certificate generated by the Easy-RSA shell command ./easyrsa build-server-full contains this attribute by default.
    • A server certificate issued through OpenSSL does not contain this attribute. You need to add extendedKeyUsage = serverAuth to the server certificate file.
  2. Host the server certificate containing this attribute in the CCM, replace the server certificate with a correct one on the Server tab page of the VPN gateway, and reconnect the client to the VPN gateway.