id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc 742,Windows client self-signed sha256 certificate verify failed,vitaliy69,Samuli Seppänen,"I generate certificates for OpenVPN server manually using this [https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto] instruction with vars file ([https://github.com/OpenVPN/easy-rsa/blob/master/easyrsa3/vars.example]). Use SHA256 algorithm. Install them, server successfully restarted. However, Windows client cannot connect to server: ''Wed Sep 28 12:41:46 2016 OpenVPN 2.3.12 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 23 2016 Wed Sep 28 12:41:46 2016 Windows version 6.1 (Windows 7) 64bit Wed Sep 28 12:41:46 2016 library versions: OpenSSL 1.0.1t 3 May 2016, LZO 2.09 Enter Management Password: Wed Sep 28 12:41:47 2016 UDPv4 link local: [undef] Wed Sep 28 12:41:47 2016 UDPv4 link remote: [AF_INET]5.167.100.107:1194 Wed Sep 28 12:41:49 2016 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=OpenVPN CA Wed Sep 28 12:41:49 2016 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Wed Sep 28 12:41:49 2016 TLS_ERROR: BIO read tls_read_plaintext error Wed Sep 28 12:41:49 2016 TLS Error: TLS object -> incoming plaintext read error Wed Sep 28 12:41:49 2016 TLS Error: TLS handshake failed Wed Sep 28 12:41:49 2016 SIGUSR1[soft,tls-error] received, process restarting Wed Sep 28 12:41:51 2016 UDPv4 link local: [undef] Wed Sep 28 12:41:51 2016 UDPv4 link remote: [AF_INET]5.167.100.107:1194 Wed Sep 28 12:41:51 2016 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=OpenVPN CA Wed Sep 28 12:41:51 2016 OpenSSL: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Wed Sep 28 12:41:51 2016 TLS_ERROR: BIO read tls_read_plaintext error Wed Sep 28 12:41:51 2016 TLS Error: TLS object -> incoming plaintext read error Wed Sep 28 12:41:51 2016 TLS Error: TLS handshake failed Wed Sep 28 12:41:51 2016 SIGUSR1[soft,tls-error] received, process restarting Wed Sep 28 12:41:52 2016 SIGTERM[hard,init_instance] received, process exiting'' With SHA1 certificates no any problems. SHA256 certificates works fine under Linux OS. OpenVPN server from Asus Merlin firmware, client configuration: ''client dev tun proto udp remote somehost.asuscomm.com 1194 float cipher AES-256-CBC auth SHA256 comp-lzo adaptive keepalive 15 60 ns-cert-type server -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY----- resolv-retry infinite nobind'' ",Bug / Defect,closed,major,release 2.3.14,Generic / unclassified,OpenVPN 2.3.12 (Community Ed),"Not set (select this one, unless your'e a OpenVPN developer)",fixed,,