Skip to content
Navigation Menu
Provide feedback
Saved searches
Use saved searches to filter your results more quickly
Sign up
Appearance settings
Description
Mon Sep 13 09:10:53 2021 OpenVPN 2.4.8 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Oct 31 2019
Mon Sep 13 09:10:53 2021 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Sep 13 09:10:53 2021 library versions: OpenSSL 1.1.0l 10 Sep 2019, LZO 2.10
Mon Sep 13 09:10:55 2021 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Does anybody know how to handle this warning?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
LonelyPixel
- OpenVpn Newbie
- Posts: 13
- Joined: Fri Nov 23, 2012 7:44 pm
No server certificate verification method has been enabled.
When connecting to my OpenVPN server, I get this message on the client in red colour:
WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
I have read that page and acknowledged it. The certificates already have the appropriate settings. How can I make this red line go away?
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11139
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No server certificate verification method has been enabled.
Post
by TinCanTech » Thu May 31, 2018 11:27 am
The HOWTO wrote:Now add the following line to your client configuration:
remote-cert-tls server
-
LonelyPixel
- OpenVpn Newbie
- Posts: 13
- Joined: Fri Nov 23, 2012 7:44 pm
Re: No server certificate verification method has been enabled.
Post
by LonelyPixel » Thu May 31, 2018 12:53 pm
Thanks for the pointer. I haven’t seen this line and thought there’s nothing more to do. Maybe the page layout was a bit too complex or I was already in that «stupid documentation» mood.
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11139
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No server certificate verification method has been enabled.
Post
by TinCanTech » Thu May 31, 2018 1:15 pm
LonelyPixel wrote: ↑
Thu May 31, 2018 12:53 pm
or I was already in that «stupid documentation» mood.
Would you prefer there not to be documentation ?
People put a lot of effort into writing it .. but we can delete it all if you prefer
-
LonelyPixel
- OpenVpn Newbie
- Posts: 13
- Joined: Fri Nov 23, 2012 7:44 pm
Re: No server certificate verification method has been enabled.
Post
by LonelyPixel » Thu May 31, 2018 5:19 pm
If there is no documentation, I’d be annoyed about it not being there. If there’s a documentation that’s hard to find, use and understand, I’d be annoyed about it being hard to find, use and understand. Please understand that incomplete efforts cannot beat psychology. You can’t sell a product by arguing that you couldn’t do it any better. I’m just giving you feedback on that, other’s won’t and turn somewhere else. I guess you still don’t care because we’re all not paying any money.
And yes, deleting the outdated part of the documentation might indeed be helpful! It just doesn’t look too professional if I turn to the forums about a documentation page from a prominent FAQ list only to hear that it’s long outdated. You see where my impression comes from?
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11139
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No server certificate verification method has been enabled.
Post
by TinCanTech » Thu May 31, 2018 5:56 pm
LonelyPixel wrote: ↑
Thu May 31, 2018 5:19 pm
If there is no documentation, I’d be annoyed about it not being there. If there’s a documentation that’s hard to find, use and understand, I’d be annoyed about it being hard to find, use and understand.
You can help improve it
LonelyPixel wrote: ↑
Thu May 31, 2018 5:19 pm
You can’t sell a product by arguing that you couldn’t do it any better. I’m just giving you feedback on that, other’s won’t and turn somewhere else. I guess you still don’t care because we’re all not paying any money.
I care which is why I help .. but we need more help.
LonelyPixel wrote: ↑
Thu May 31, 2018 5:19 pm
yes, deleting the outdated part of the documentation might indeed be helpful!
You can help improve it
LonelyPixel wrote: ↑
Thu May 31, 2018 5:19 pm
It just doesn’t look too professional if I turn to the forums about a documentation page from a prominent FAQ list only to hear that it’s long outdated.
At least all the pages of documentation from Openvpn are fully dated, unlike much of the FUD out there .. so you can decide immediately if you want to read it or not.
-
LonelyPixel
- OpenVpn Newbie
- Posts: 13
- Joined: Fri Nov 23, 2012 7:44 pm
Re: No server certificate verification method has been enabled.
Post
by LonelyPixel » Tue Aug 14, 2018 6:58 pm
Oh, that’s been a long time.
I understand that you need more help to keep the docs updated. But I really feel that should be done by people who know what they talk about. You can probably guess from my questions that I’m not one of them. Set aside that I can’t even guess the effort it’d take me to find out how to help with that. Somebody would have to spend a lot of time putting me on the right track that they could better spend in fixing it directly.
-
1_C4T4LY5T
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Jul 06, 2020 12:48 am
Re: No server certificate verification method has been enabled.
Post
by 1_C4T4LY5T » Mon Jul 06, 2020 12:51 am
I see that open vpn error tells me to go here: https://openvpn.net/community-resources/how-to/#mitm
but that makes no sense to me as I’m definitely a noob to vpn’s in general. I did try to add «remote-cert-tls server» to the end of my client config file. When I added it the red error went away but now the client just keeps saying connecting in status and never actually errors or connects for me.
Could I get some help from anyone in a very dumbed down way? like if you were explaining it to your mom for example ?
Thank you in advance for any help.
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11139
- Joined: Fri Jun 03, 2016 1:17 pm
Re: No server certificate verification method has been enabled.
Post
by TinCanTech » Mon Jul 06, 2020 2:11 am
You mist speak to your server admin
-
1_C4T4LY5T
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Jul 06, 2020 12:48 am
Re: No server certificate verification method has been enabled.
Post
by 1_C4T4LY5T » Mon Jul 06, 2020 2:36 am
I have no server admin. This is an hp elite 8300 sff i7-2600 box I setup server 2019 on and then installed Open VPN. I’d be happy to provide needed info.
I’ve setup the vpn through enabling the open vpn setting on my nighthawk R7000P. I’ve followed the directions from netgear and everything else seems to have setup just as it described …all but this open vpn client starting up.
-
300000
- OpenVPN Expert
- Posts: 685
- Joined: Tue May 01, 2012 9:30 pm
Re: No server certificate verification method has been enabled.
Post
by 300000 » Mon Jul 06, 2020 12:10 pm
You can try paid version on this site and setup is more easy .no more red or whatever notice.
If you want red warning go away you need adding something into openssl config inside easyras so it will adding attribute httpsserver authentication so the warning will go.
That is the way people consider using community version for personal use and paid version for commercial use .
It is only one line of config that work the best and there is no document how to do it either so try to find it yourself .openvpn manual not document it anywhere so people can’t find it
-
Hart, Henry
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Sep 08, 2020 3:02 am
Re: No server certificate verification method has been enabled.
Post
by Hart, Henry » Tue Sep 08, 2020 3:05 am
300000 wrote: ↑
Mon Jul 06, 2020 12:10 pm
You can try paid version on this site and setup is more easy .no more red or whatever notice.
Is this true? I would be more than happy to use the Paid version if I knew that almost nothing would be required of me — no red notices, no errors, no dropped connections with errors (which we too are experiencing now without touching the server and certs are up to date) and 24/7 support. Where do I sign up….
-
300000
- OpenVPN Expert
- Posts: 685
- Joined: Tue May 01, 2012 9:30 pm
Re: No server certificate verification method has been enabled.
Post
by 300000 » Tue Sep 08, 2020 10:42 am
you can download OpenVPN Access Server now to try it , no more red or whatever notice to up set people but only pay money that is how free software work or if you like you can do it yourself simple. infarct red warning make quite scare to use when you want to hide something more than nomal .
I am using XCA to create certificate so for me no red warning at all or whatever but you need to going to openssl to learn how to create certificate and what kind of difference attribute to create all kind of difference certificate to use in all difference situation
-
calipo
- OpenVpn Newbie
- Posts: 3
- Joined: Mon Jul 08, 2024 1:58 am
Re: No server certificate verification method has been enabled.
Post
by calipo » Mon Jul 08, 2024 1:59 am
This is my clien configuration
client
dev tun
proto udp
remote mapuche.mendoza.gov.ar
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 1
<ca>
Where write «remote-cert-tls server»?
Thanks
-
sylsun
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Jul 22, 2024 12:33 pm
Re: No server certificate verification method has been enabled.
Post
by sylsun » Mon Jul 22, 2024 12:39 pm
We have the same problem, withe a freebox revolution, since the 12th of july.
I tried to add «remote-cert-tls server»
But it doesn’t work : TLS Error: Unroutable control packet received from [AF_INET]
-
sylsun
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Jul 22, 2024 12:33 pm
Re: No server certificate verification method has been enabled.
Post
by sylsun » Mon Jul 22, 2024 12:47 pm
And same computer with openvpn works with an other box
-
becm
- OpenVPN User
- Posts: 40
- Joined: Tue Sep 01, 2020 1:27 pm
Re: No server certificate verification method has been enabled.
Post
by becm » Sat Jul 27, 2024 6:11 pm
Most other issues with similar errors hint to
— connecting to the wrong server or
— using wrong client settings.
Other (correct) configs to connect to other servers naturally will work.
-
calipo
- OpenVpn Newbie
- Posts: 3
- Joined: Mon Jul 08, 2024 1:58 am
Re: No server certificate verification method has been enabled.
Post
by calipo » Fri Jan 10, 2025 11:27 pm
I cant connect. Error is
WARNING: this configuration may cache passwords in memory — use the auth-nocache option to prevent this
2025-01-10 20:22:57 TCP/UDP: Preserving recently used remote address: [AF_INET]201.xxx.xxxx.xxx
2025-01-10 20:22:57 UDPv4 link local: (not bound)
2025-01-10 20:22:57 UDPv4 link remote: [AF_INET]201.xxx.xxx.xx
2025-01-10 20:22:57 VERIFY ERROR: depth=0, error=CA signature digest algorithm too weak: C=AR, ST=MZ, L=Mendoza, O=DIC, CN=server, emailAddress=rycom@xxxx.gov.ar, serial=465
2025-01-10 20:22:57 OpenSSL: error:0A000086:SSL routines::certificate verify failed:
2025-01-10 20:22:57 TLS_ERROR: BIO read tls_read_plaintext error
2025-01-10 20:22:57 TLS Error: TLS object -> incoming plaintext read error
2025-01-10 20:22:57 TLS Error: TLS handshake failed
2025-01-10 20:22:57 SIGUSR1[soft,tls-error] received, process restarting
Any idea
-
calipo
- OpenVpn Newbie
- Posts: 3
- Joined: Mon Jul 08, 2024 1:58 am
Re: No server certificate verification method has been enabled.
Post
by calipo » Fri Jan 10, 2025 11:29 pm
I have Debian 13. With Debian 12 works fine. Seem the problem is the new version
Any idea?
Всех приветствую !
OS-OpenSuse 42.3
OpenVPN-2.3
easyrsa- 3.0.5
Server.conf
Код:
port 1194
proto tcp
dev tun
server 192.168.99.0 255.255.255.0
push "route 192.168.90.0 255.255.255.0"
ca ca.crt
cert blic-vpn.crt
key blic-vpn.key
dh dh.pem
tls-auth ta.key 0
crl-verify crl.pem
key-direction 0
cipher AES-256-CBC
auth SHA256
explicit-exit-notify 0
ifconfig-pool-persist ipp.txt
mute 10
persist-key
persist-tun
max-clients 50
keepalive 10 900
user nobody
group nobody
status openvpn-status.log 1
status-version 3
log-append openvpn-server.log
verb 9
Client.conf
Код:
client
dev tun
remote 192.168.80.21
proto tcp
ca ca.crt
cert adm.crt
key adm.key
cipher AES-256-CBC
auth SHA256
key-direction 1
route-method exe
route-delay 2
resolv-retry infinite
nobind
persist-key
persist-tun
tls-client
tls-auth ta.key 1
auth-nocache
Создал тестовый OpenVPN и столкнулся со следующим:
Интерфейс tun подымается
Логи клиента при попытке подключиться к серверу:
Код:
Sat Jan 12 00:51:28 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sat Jan 12 00:51:28 2019 Windows version 6.1 (Windows 7) 64bit
Sat Jan 12 00:51:28 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Sat Jan 12 00:51:28 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 12 00:51:28 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:28 2019 Attempting to establish TCP connection with [AF_INET]192.168.80.21:1194 [nonblock]
Sat Jan 12 00:51:29 2019 TCP connection established with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:29 2019 TCP_CLIENT link local: (not bound)
Sat Jan 12 00:51:29 2019 TCP_CLIENT link remote: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:30 2019 Connection reset, restarting [-1]
Sat Jan 12 00:51:30 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sat Jan 12 00:51:35 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 12 00:51:35 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:35 2019 Attempting to establish TCP connection with [AF_INET]192.168.80.21:1194 [nonblock]
Sat Jan 12 00:51:36 2019 TCP connection established with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:36 2019 TCP_CLIENT link local: (not bound)
Sat Jan 12 00:51:36 2019 TCP_CLIENT link remote: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:51:36 2019 Connection reset, restarting [-1]
Sat Jan 12 00:51:36 2019 SIGUSR1[soft,connection-reset] received, process restarting
Sat Jan 12 00:51:38 2019 SIGTERM[hard,init_instance] received, process exiting
Как только я комментирую на сервере строку отвечающую за проверку сертификатов:
#crl-verify crl.pem
Клиент подключается и работает как положено.
Лог клиента после удачного подключения:
Код:
Sat Jan 12 00:56:17 2019 OpenVPN 2.4.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Apr 26 2018
Sat Jan 12 00:56:17 2019 Windows version 6.1 (Windows 7) 64bit
Sat Jan 12 00:56:17 2019 library versions: OpenSSL 1.1.0h 27 Mar 2018, LZO 2.10
Enter Management Password:
Sat Jan 12 00:56:17 2019 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Sat Jan 12 00:56:17 2019 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:17 2019 Attempting to establish TCP connection with [AF_INET]192.168.80.21:1194 [nonblock]
Sat Jan 12 00:56:18 2019 TCP connection established with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:18 2019 TCP_CLIENT link local: (not bound)
Sat Jan 12 00:56:18 2019 TCP_CLIENT link remote: [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:18 2019 [blic-vpn] Peer Connection Initiated with [AF_INET]192.168.80.21:1194
Sat Jan 12 00:56:20 2019 open_tun
Sat Jan 12 00:56:20 2019 TAP-WIN32 device [Подключение по локальной сети 2] opened: \\.\Global\{61223E3E-B757-452A-B418-E67442450004}.tap
Sat Jan 12 00:56:20 2019 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.88.6/255.255.255.252 on interface {61223E3E-B757-452A-B418-E67442450004} [DHCP-serv: 192.168.88.5, lease-time: 31536000]
Sat Jan 12 00:56:20 2019 Successful ARP Flush on interface [24] {61223E3E-B757-452A-B418-E67442450004}
Sat Jan 12 00:56:20 2019 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Sat Jan 12 00:56:22 2019 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Sat Jan 12 00:56:22 2019 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Sat Jan 12 00:56:22 2019 Initialization Sequence Completed
Sat Jan 12 00:56:32 2019 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Sat Jan 12 00:56:32 2019 env_block: add PATH=C:\Windows\System32;C:\Windows;C:\Windows\System32\Wbem
Sat Jan 12 00:56:32 2019 SIGTERM[hard,] received, process exiting
Дата и время сервер/клиент не расходятся, полность удалял тестовую среду генерил заново.
Ошибка повторяется.
Лог сервера когда строка crl-verify crl.pem не закоментированна (Ошибка.txt)
Лог сервера когда строка crl-verify crl.pem с коментом (Работает.txt)
Последний раз редактировалось leksstav 14.01.2019 15:43, всего редактировалось 2 раза.
OpenVPN is one of the best VPNs out there as not only they are providing you with a wide range of services to choose from in accordance with the needs and requirements that you might have, but they are also offering world-class security on any public or private network.
All this collectively makes it the right choice for most of the businesses and individuals out there to go for OpenVPN for all the needs that they have and make their connections secure. However, if you are getting an error message stating “No Server Certificate Validation Method Has Been Enabled”, here is all you need to know about it.
To solve the issue, and troubleshoot it in the right manner, you need to know what it means, and what are the reasons that might be triggering the error message on your screen. To start with that, there are multiple validation certificates that are in play whenever you are connected over the internet. These certificates are connected with your browser, your server, ISP, and a whole lot more factors. These certificates basically ensure that the information that is being transferred over the internet is secure from each end, and there are no third-party intrusions for reading or changing the data.
If you are getting that specific error message, that means that the certificate validation server might not be responding, or your connection might not have set it properly. Whatever the case might be, here are a few ways to have it fixed over the OpenVPN.
1) Update your Browser
The server certificate validation is mostly done by your web browser and while most of the latest browsers update automatically when connected to the internet, there might have been some issue with your update and that can cause you to have such problems. What you will need to do in such cases is to update the website browser to its latest version and that will solve all sorts of problems for you. Make sure that you also enable the auto-updates on for your browser and that will certainly make it work.
2) Websites issue
Another thing that you must know about this specific error message is that each website also has its own security certificate that is validated by the browser. So, you must be careful about that while trying to visit some website that you don’t trust and if you are visiting any such website for the first time, you are likely to get that error as a warning message that you should avoid browsing such websites.
3) Update OpenVPN
This was a bug with some versions of the OpenVPN and that caused a mess back then. You can face this error sometimes with the outdated application versions and that might be the culprit here. So, update the version of the OpenVPN application that you are using and that is going to solve the problem for you most of the times and you will not be bothered with that error message again.
Гугл четко выводит на эту статью. Добавим рабочий вариант для истории.
Сервер:
cat /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 172.16.31.0 255.255.255.0
ifconfig-pool-persist ipp.txt 0
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
tls-server
status openvpn-status.log
verb 3
client-to-client
client-config-dir /etc/openvpn/ccd
reneg-sec 0 ; не разрывать соединение каждый час для обновления ключа «не безопастно»
Добавляем по необходимости
push «route 192.168.0.0 255.255.255.0» ; говорим клиентам что за сеть за сервером, чтоб они добавили маршрут в роутинг
push «explicit-exit-notify 3»
Если нам нужны сети за клиентами openvpn, добавляем
route 192.168.115.0 255.255.255.0 172.16.31.1 ; рассказываем серверу что за сети у клиентов (office1) чтоб знал маршрутизацию
route 192.168.33.0 255.255.255.0 172.16.31.1 ; их может быть очень много (office2)
Настройки что бы клиенты получали постоянно один и тот же адрес VPN
имена office1, office2 берутся из название ключа когда создаете сертификат клиента
Клиент office1 с внутренней сетью 192.168.115.Х
cat /etc/openvpn/ccd/office1
ifconfig-push 172.16.31.2 172.16.31.1
iroute 192.168.115.0 255.255.255.0
Клиент 2 с внутренней сетью 192.168.33.Х
cat /etc/openvpn/ccd/office2
ifconfig-push 172.16.31.3 172.16.31.1
iroute 192.168.33.0 255.255.255.0
Настройки клиента
cat /etc/openvpn/client.conf
client
dev tun
proto udp
remote Х.Х.Х.Х 1194 # Внешний адрес сервера
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
ca /etc/openvpn/ca.crt # Ключ сервера
cert /etc/openvpn/office1.crt # Ключи клиента
key /etc/openvpn/office1.key # Ключи клиента
comp-lzo
verb 3
mute 20
#tun-mtu 1380 # если ping есть а нечего не качается внутри сети, снижаем mtu