OpenVPN: External certificate signing failed on OSX


After two years of using ipfire with OpenVPN my client certificates expired, so I generated new ones. On iOS it works fine, but on OS X I always get the following error when I try to connect using OpenVPN client (v 3.4.1 (4522)): “External certificate signing failed” . I have additionally generated the ta.key file and added the into the *.ovpn .

Any help is appreciated.

Thank you,

Looks like your certificate is not linked correctly and the client cannot find it. This tutorial is not specific for MacOS, but I believe it could be useful to pinpoint the problem.

For a quick and dirty test, you could generate an insecure package (all the keys in clear text inside .ovpn file) and import it (see the tutorial for how to do that). If the client works, you know that your problem was the inability of the client to work with the operating system to access the certificate.

Thank you for your quick reply. I tried to download the insecure package, but got to following error:

# Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

I also hardcoded the path of the ta.key file in the *.opvn .

Then I added <tls-auth> with whatever is in the ta.key file.

I compared it to another computer’s file where it works and they look identical. So I’m not sure how to continue. Might OpenVPN Connect have an issue?

Thanks for any further hints.

That is a known bug of the Web User Interface. You cannot download the insecure package if you have established a password when you created the package. The WUI should not show a link if that is the case. If you want to try this way, you need to create a NEW package WITHOUT a password set for the TA key (hence the “insecure” qualification).

I think the problem is that OpenVPN Connect somehow cannot import and or retrieve the TA key into or from keychain (MacOS database of certificates). There is something going wrong there, I think.

There should be already a fix for this problem available → ovpnmain.cgi: Fix for bug#11048 - insecure download icon for connections with a password - Patchwork



1 Like

That will be in CU174 not in CU173. Still need to finish the work on the script.

1 Like

Hell Adolf,

have looked also a little in it longer time ago, does the awk solution makes sense ? To not step into OT, if needed/wanted you can give me an update.



Thanks for the clarification. I created an insecure one and this works. However, it is not the solution I want to go with, but just an intermediary.
Are there any further hints on how I can get this running with a secure setup? Anyone else having this problem?

I tried myself, and I couldn’t make it working. However now I remember why I decided to buy Viscosity as my OpenVPN client and never looked back: none of this crap. It just works.

To summarize, in your position I would either use the insecure package, or buy Viscosity license.

Strange as it worked before. Anyway, thanks for the hint about Viscosity. Will give it a try.

Thanks everyone for their help.