October 07, 2016
If you’re unable to connect to OpenVPN on Linux (Feodra 21, recent Ubuntu, etc) and are seeing errors like:
VERIFY ERROR: depth=0, error=certificate signature failure: C=AU, ST=WA, O=ExampleCompany, CN=server, emailAddress=example@example.com
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
Then it could be that the remote certificate isn’t signed correctly or some other genuine issue exists.
However, if you’re on recent Fedora, Ubuntu or Debian releases you might also have a version of openssl that has the MD5 digest algorithm disabled by default. This will cause the certificate verification on OpenVPN to fail.
Try again with:
OPENSSL_ENABLE_MD5_VERIFY=1 openvpn client.ovpn
(or if you use sudo normally):
sudo OPENSSL_ENABLE_MD5_VERIFY=1 openvpn client.ovpn
to see if this causes the handshake to succeed.
If so, you might want to set that in your NetworkManager environment. How to do that depends on your distro.
Even better, just upgrade your certificate to SHA256.