Help with cryptic error in openvpn connection to HTB

Hi folks !

I’m having this irritating error when trying to connect to HTB with openvpn:

WWR2024-02-03 16:31:00 us=584349 TLS: Initial packet from [AF_INET], sid=4ab55ee5 6605ce9d
WWRWRWR2024-02-03 16:31:00 us=833510 VERIFY OK: depth=1, C=UK, ST=City, L=London, O=HackTheBox, CN=HackTheBox CA, name=htb,
2024-02-03 16:31:00 us=833575 VERIFY ERROR: depth=0, error=certificate signature failure: C=UK, ST=City, L=London, O=HackTheBox, CN=htb, name=htb,, serial=2
2024-02-03 16:31:00 us=833607 OpenSSL: error:0A000086:SSL routines::certificate verify failed
2024-02-03 16:31:00 us=833619 TLS_ERROR: BIO read tls_read_plaintext error
2024-02-03 16:31:00 us=833632 TLS Error: TLS object → incoming plaintext read error
2024-02-03 16:31:00 us=833643 TLS Error: TLS handshake failed
2024-02-03 16:31:00 us=833752 TCP/UDP: Closing socket

I’ve tried to change server (EUR 01 &03), protocol (UDP and TCP), regenerate multiple openvpn configs … Tried an old trick found somewhere in the forum about a tls-cipher option. Same issue.

My config is a fresh RHEL 9, openvpn 2.5.9, Openssl 3.0.1.

Thank you for your help !!!

This error indicates an issue with verifying the authenticity of the certificate provided by the server. Here are a few things steps you can try:

  1. Ensure that your system’s date and time are correctly set. An incorrect system clock can cause certificate verification failures.
  2. Double-check that you’re using the correct configuration files provided by HackTheBox. Any discrepancies in the configuration can lead to verification errors.
  3. Verify that your OpenSSL installation is functioning correctly. You can try reinstalling OpenSSL or downgrading to a more stable version if necessary.
  4. Consider reaching out to HackTheBox support for assistance. They may be able to provide specific guidance or solutions tailored to their platform.

Thanks for your help !
after banging my head against the walls for too long with this, I gave up and started a VM with a kali… No more problem, but I’ll stay a bit frustrated… Maybe some CA file is missing on my machine, and thus this signature error for the server certificate. But I haven’t time now to further investigate this with openssl.

1 Like

To address the issue of the missing CA file and rectify the signature error for the server certificate, you can take the following steps:

  1. Identify the CA Certificate: First, determine the Certificate Authority (CA) responsible for issuing the server certificate triggering the error. Typically, this information accompanies the error message.
  2. Obtain the CA Certificate: Locate and acquire the CA certificate corresponding to the CA identified in the previous step. You can usually find this certificate on the CA’s website or through other trusted sources.
  3. Install the CA Certificate: Once you have the CA certificate file, proceed to install it on your local machine. The installation process varies depending on your operating system and browser:
  • On Linux: Copy the CA certificate file to the /usr/local/share/ca-certificates/ directory, then execute sudo update-ca-certificates to update the certificate store.
  • On Windows: Utilize the Certificate Manager tool to import the CA certificate into the Trusted Root Certification Authorities store.
  • On macOS: Use the Keychain Access utility to import the CA certificate into the System Roots keychain.
  1. Verify Installation: After installing the CA certificate, ensure it has been successfully added to your system’s trusted certificate store. You can verify this by checking the list of trusted certificates in your operating system or browser settings.
  2. Test Connection: Once the CA certificate is installed, attempt to reconnect to the server that previously encountered the signature error. With the CA certificate now in place, the server certificate will undergo validation against the trusted CA certificate. The error should no longer persist if the installation was successful.

By following these outlined steps, you should be equipped to resolve the signature error associated with the server certificate, stemming from the absence of the CA file on your local machine.