Lab Access Openvpn certificate verify failed

I’m having connection issues regarding my vpn to access labs.
Here’s the log:

2022-05-10 14:54:31 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless “allow-compression yes” is also set.
2022-05-10 14:54:31 DEPRECATED OPTION: --cipher set to ‘AES-128-CBC’ but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add ‘AES-128-CBC’ to --data-ciphers or change --cipher ‘AES-128-CBC’ to --data-ciphers-fallback ‘AES-128-CBC’ to silence this warning.
2022-05-10 14:54:31 OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
2022-05-10 14:54:31 library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
2022-05-10 14:54:31 Outgoing Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication
2022-05-10 14:54:31 Incoming Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication
2022-05-10 14:54:31 TCP/UDP: Preserving recently used remote address: [AF_INET]43.249.38.1:1337
2022-05-10 14:54:31 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-05-10 14:54:31 UDP link local: (not bound)
2022-05-10 14:54:31 UDP link remote: [AF_INET]43.249.38.1:1337
2022-05-10 14:54:31 TLS: Initial packet from [AF_INET]43.249.38.1:1337, sid=b5e6b6e9 56c757a9
2022-05-10 14:54:31 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=UK, ST=City, L=London, O=HackTheBox, CN=htb, name=htb, emailAddress=info@hackthebox.eu, serial=1
2022-05-10 14:54:31 OpenSSL: error:0A000086:SSL routines::certificate verify failed
2022-05-10 14:54:31 TLS_ERROR: BIO read tls_read_plaintext error
2022-05-10 14:54:31 TLS Error: TLS object → incoming plaintext read error
2022-05-10 14:54:31 TLS Error: TLS handshake failed
2022-05-10 14:54:31 SIGUSR1[soft,tls-error] received, process restarting
2022-05-10 14:54:31 Restart pause, 5 second(s)
2022-05-10 14:54:36 Outgoing Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication
2022-05-10 14:54:36 Incoming Control Channel Authentication: Using 256 bit message hash ‘SHA256’ for HMAC authentication
2022-05-10 14:54:36 TCP/UDP: Preserving recently used remote address: [AF_INET]43.249.38.1:1337
2022-05-10 14:54:36 Socket Buffers: R=[212992->212992] S=[212992->212992]
2022-05-10 14:54:36 UDP link local: (not bound)
2022-05-10 14:54:36 UDP link remote: [AF_INET]43.249.38.1:1337
2022-05-10 14:54:36 TLS: Initial packet from [AF_INET]43.249.38.1:1337, sid=e63a3b89 fddde13b
2022-05-10 14:54:36 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=UK, ST=City, L=London, O=HackTheBox, CN=htb, name=htb, emailAddress=info@hackthebox.eu, serial=1
2022-05-10 14:54:36 OpenSSL: error:0A000086:SSL routines::certificate verify failed
2022-05-10 14:54:36 TLS_ERROR: BIO read tls_read_plaintext error
2022-05-10 14:54:36 TLS Error: TLS object → incoming plaintext read error
2022-05-10 14:54:36 TLS Error: TLS handshake failed
2022-05-10 14:54:36 SIGUSR1[soft,tls-error] received, process restarting
2022-05-10 14:54:36 Restart pause, 5 second(s)

Can anyone help me with this?
Thanks

I can confirm this error with OpenVPN version 2.5.5.

OpenVPN version 2.5.1 creates an connection while the version 2.5.5 give the error message.

A quick and dirty fix is to add a line

tls-cipher DEFAULT:@SECLEVEL=0

in the first section in the ovpn file.

6 Likes

what a life saver my dude. it is working now.

Thanks

1 Like

getting this error: Options error: You must define TUN/TAP device (–dev)

Other responses pointed me here but my original problem is Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error

Any solutions please!

Can you please post the output (= the log) from openvpn with the error message.

I have no idea how to fix the error based on the error message alone. I hope the openvpn call and the messages from openvpn before the error gives a hint to the cause of the error.

I have a similar problem, i’m new here and i try to access with my Ubuntu.

This is my current system version

PRETTY_NAME="Ubuntu 22.04.1 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.1 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

The syslog say

Sep 24 23:52:13 machine nm-openvpn[24191]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Sep 24 23:52:13 machine nm-openvpn[24191]: TCP/UDP: Preserving recently used remote address: [AF_INET]173.208.98.30:1337
Sep 24 23:52:13 machine nm-openvpn[24191]: UDP link local: (not bound)
Sep 24 23:52:13 machine nm-openvpn[24191]: UDP link remote: [AF_INET]173.208.98.30:1337
Sep 24 23:52:14 machine nm-openvpn[24191]: VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=UK, ST=City, L=London, O=HackTheBox, CN=htb, name=htb, emailAddress=info@hackthebox.eu, serial=1
Sep 24 23:52:14 machine nm-openvpn[24191]: OpenSSL: error:0A000086:SSL routines::certificate verify failed
Sep 24 23:52:14 machine nm-openvpn[24191]: TLS_ERROR: BIO read tls_read_plaintext error
Sep 24 23:52:14 machine nm-openvpn[24191]: TLS Error: TLS object -> incoming plaintext read error
Sep 24 23:52:14 machine nm-openvpn[24191]: TLS Error: TLS handshake failed
Sep 24 23:52:14 machine nm-openvpn[24191]: SIGUSR1[soft,tls-error] received, process restarting
Sep 24 23:52:20 machine NetworkManager[756]: <warn>  [1664085140.7028] vpn[0x564b00f3e830,c50a7cf1-3a26-440b-98c1-5ddcef4f4bdd,"lab_nemouter"]: connect timeout exceeded
Sep 24 23:52:20 machine nm-openvpn-serv[24187]: Connect timer expired, disconnecting.
Sep 24 23:52:20 machine nm-openvpn[24191]: SIGTERM[hard,init_instance] received, process exiting

And my .ovpn file already contains the line tls-cipher DEFAULT:@SECLEVEL=0

client
dev tun
proto udp
remote edge-us-free-3.hackthebox.eu 1337
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3
data-ciphers-fallback AES-128-CBC
data-ciphers AES-256-CBC:AES-256-CFB:AES-256-CFB1:AES-256-CFB8:AES-256-OFB:AES-256-GCM
tls-cipher "DEFAULT:@SECLEVEL=0"
auth SHA256
key-direction 1

This is the version of my openvpn cliente

OpenVPN 2.5.5 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 22 2022
library versions: OpenSSL 3.0.2 15 Mar 2022, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2021 OpenVPN Inc <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_maintainer_mode=no enable_management=yes enable_multihome=yes enable_option_checking=no enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_werror=no enable_win32_dll=yes enable_x509_alt_username=yes with_aix_soname=aix with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_sysroot=no

I appreciate any help you can give me!

The content of the ovpn file looks good. I also use Ubuntu 22.04.1 with OpenVPN 2.5.5 and connect to the VPN of HTB.

I use simply the openvpn tool in the console, not the openvpn plugin in the nm (network-manager). It is possible that the nm modifies the configuration. My tip is to check the VPN connections with openvpn command line tool and compare the results.

1 Like

Thank you very much for the help.

Use the command line interface is the solution in my case.

UPDATE:
I using sudo to excecute openvpn on the terminal

1 Like