After two years of using ipfire with OpenVPN my client certificates expired, so I generated new ones. On iOS it works fine, but on OS X I always get the following error when I try to connect using OpenVPN client (v 3.4.1 (4522)): “External certificate signing failed” . I have additionally generated the ta.key file and added the into the *.ovpn .
Looks like your certificate is not linked correctly and the client cannot find it. This tutorial is not specific for MacOS, but I believe it could be useful to pinpoint the problem.
For a quick and dirty test, you could generate an insecure package (all the keys in clear text inside .ovpn file) and import it (see the tutorial for how to do that). If the client works, you know that your problem was the inability of the client to work with the operating system to access the certificate.
Thank you for your quick reply. I tried to download the insecure package, but got to following error:
# Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator at root@localhost to inform them of the time this error occurred, and the actions you performed just before this error.
More information about this error may be available in the server error log.
I also hardcoded the path of the ta.key file in the *.opvn .
Then I added <tls-auth> with whatever is in the ta.key file.
I compared it to another computer’s file where it works and they look identical. So I’m not sure how to continue. Might OpenVPN Connect have an issue?
That is a known bug of the Web User Interface. You cannot download the insecure package if you have established a password when you created the package. The WUI should not show a link if that is the case. If you want to try this way, you need to create a NEW package WITHOUT a password set for the TA key (hence the “insecure” qualification).
I think the problem is that OpenVPN Connect somehow cannot import and or retrieve the TA key into or from keychain (MacOS database of certificates). There is something going wrong there, I think.
Thanks for the clarification. I created an insecure one and this works. However, it is not the solution I want to go with, but just an intermediary.
Are there any further hints on how I can get this running with a secure setup? Anyone else having this problem?
I tried myself, and I couldn’t make it working. However now I remember why I decided to buy Viscosity as my OpenVPN client and never looked back: none of this crap. It just works.
To summarize, in your position I would either use the insecure package, or buy Viscosity license.