Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

ssl error on openconnect server
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

ssl error on openconnect server

AICAIC Member
in Help

root@localhost:/etc/ocserv# ocserv -c /etc/ocserv/ocserv.conf -f -d 1
note: setting 'radius' as primary authentication method
note: setting 'radius' as accounting method
note: setting 'radius' as supplemental config option
listening (TCP) on 0.0.0.0:443...
listening (TCP) on [::]:443...
listening (UDP) on 0.0.0.0:443...
listening (UDP) on [::]:443...
ocserv[2139]: main: initialized ocserv 0.11.6
ocserv[2140]: sec-mod: reading supplemental config from radius
ocserv[2140]: GnuTLS error (at sec-mod.c:704): Decryption has failed.
ocserv[2139]: main: main.c:943: ocserv-secmod died unexpectedly
ocserv[2139]: main: termination request received; waiting for children to die
ocserv[2139]: main: main-sec-mod-cmd.c:94: command socket for sec-mod closed
ocserv[2139]: main: main.c:1200: error in command from sec-mod
ocserv[2139]: main: termination request received; waiting for children to die
root@localhost:/etc/ocserv#

I have comodo positive ssl files __srdns_co.crt file and __srdns_co.ca-bundle file . I setup the openconnect server and was working fine selfsigned certificates. Now i replace the certificates and it giving me the above errors. I did change the extenion to PEM for all files , One by one and test. But i am unable to run it successfully.

Any help will be greatly appreciated.

Comments

  • AICAIC Member
    edited January 2017

    I resolved the issue with help of ssl agent paul from namecheap.

    The primary issue "ocserv[2140]: GnuTLS error (at sec-mod.c:704): Decryption has failed."

    They private key was password protected.

    It was generated in time csr creation. As i was unable to remind the password so i reissued the certificate with new csr and private key. This time i create the csr and private key unprotected.

    openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

    I got two file server.key and server.csr

    I uploaded the server.csr to the portal to reissue the certificate. Once the certificate is reissued i download the certificate with files. mydom_co.ca-bundle and mydom.crt

    In-order to install correctly on server we have to combine both the files. by opening mydom_co.ca-bundle in text editor and copy the contents and open mydom.crt and past after the contents End Part.

    upload the combined-file.crt to server and placed under ocserv folder. I also updated the configuation file ocserv.conf accordingly. update the server-cert = ../path/ocserv/combined-file.crt

    We did check the certificate through ssl checker and find everything fine.

    I started the server with following command to check .

    ocserv -c /etc/ocserv/ocserv.conf -f -d 1

    note: setting 'radius' as primary authentication method
    note: setting 'radius' as accounting method
    note: setting 'radius' as supplemental config option
    listening (TCP) on 0.0.0.0:443...
    listening (TCP) on [::]:443...
    listening (UDP) on 0.0.0.0:443...
    listening (UDP) on [::]:443...
    ocserv[3645]: main: initialized ocserv 0.11.6
    ocserv[3646]: sec-mod: reading supplemental config from radius
    ocserv[3646]: sec-mod: sec-mod initialized (socket: /var/run/ocserv-socket.3645)

    Hope it help someone.

Sign In or Register to comment.