Synology Let's authenticate authentication failure

Got a problem with Viscosity or need help? Ask here!

russcus

Posts: 2
Joined: Tue Aug 13, 2019 3:48 am

Post by russcus » Tue Aug 13, 2019 4:09 am
I am inexperienced with server certificates, so please be gentle.
I set up an OpenVPN server on my Synology NAS and set up Viscosity Mac according to your guide. I double-checked all settings and everything looks OK.
Connections to the VPN Server fail immediately. The problem seems to be with verifying my Let's Authenticate server certificate. The certificate is valid, as indicated in the Synology Security control panel. I attached a screen shot of that.

I tried Viscosity configurations with both the IP address and the domain name on the certificate <russcusimano.com>

The referenced <http://openvpn.net/howto.html#mitm> is incomprehensible to me. :(

Can you point me in the right direction to get this running.

Thanks in advance.

Here is the synology log:
2019-08-12 10:34:46: Viscosity Mac 1.7.16 (1491)
2019-08-12 10:34:46: Viscosity OpenVPN Engine Started
2019-08-12 10:34:46: Running on macOS 10.14.5
2019-08-12 10:34:46: ---------
2019-08-12 10:34:46: State changed to Connecting
2019-08-12 10:34:46: Checking reachability status of connection...
2019-08-12 10:34:46: Connection is reachable. Starting connection attempt.
2019-08-12 10:34:46: OpenVPN 2.4.7 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on May 29 2019
2019-08-12 10:34:46: library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10
2019-08-12 10:34:58: Valid endpoint found: 35.132.171.123:1194:udp
2019-08-12 10:34:59: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2019-08-12 10:34:59: TCP/UDP: Preserving recently used remote address: [AF_INET]35.132.171.123:1194
2019-08-12 10:34:59: UDP link local: (not bound)
2019-08-12 10:34:59: UDP link remote: [AF_INET]35.132.171.123:1194
2019-08-12 10:34:59: State changed to Authenticating
2019-08-12 10:34:59: WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
2019-08-12 10:34:59: VERIFY ERROR: depth=1, error=unable to get issuer certificate: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
2019-08-12 10:34:59: OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
2019-08-12 10:34:59: TLS_ERROR: BIO read tls_read_plaintext error
2019-08-12 10:34:59: TLS Error: TLS object -> incoming plaintext read error
2019-08-12 10:34:59: TLS Error: TLS handshake failed
2019-08-12 10:34:59: SIGTERM[soft,tls-error] received, process exiting
2019-08-12 10:34:59: State changed to Disconnected
2019-08-12 10:35:00: Viscosity Mac 1.7.16 (1491)
2019-08-12 10:35:00: Viscosity OpenVPN Engine Started
2019-08-12 10:35:00: Running on macOS 10.14.5
2019-08-12 10:35:00: ---------
Attachments
securitypanel.png
synology security panel
securitypanel.png (140.39 KiB) Viewed 505 times

Eric

User avatar
Posts: 906
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Tue Aug 13, 2019 10:18 am
Hi russcus,

You should not be using your let's encrypt certificate as the CA for your connection. Please go back to the OpenVPN Server settings on your server and click Export Configuration to get the CA you should be using.

If you're stuck where to find this, I recommend going through our guide once more to double check all your settings - https://sparklabs.com/support/kb/article/setting-up-an-openvpn-server-with-synology-and-viscosity/#openvpn-server-setup
Before doing anything else, click the Export configuration button to download the necessary information for your client to connect to this server. This should download the file openvpn.zip which we will use later in the guide.
Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

russcus

Posts: 2
Joined: Tue Aug 13, 2019 3:48 am

Post by russcus » Wed Aug 14, 2019 2:24 am
Hi, Eric:

Thank you for the fast reply. It was very helpful. I created a self-signed SSL certificate and assigned that to the VPN server, leaving all other services assigned to the lets' encrypt certificate.
Then I exported the vpn configuration and added a new connection to Viscosity.

Problem solved.

Thanks again.
3 posts Page 1 of 1