OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Some common errors and solutions


error parsing certificate : X509 - The date tag or value is invalid
This is not a bug in OpenVPN but is because of a faulty certificate. See this detailed forum post for more info.

certificate verification failed : x509 - certificate verification failed, e.g. crl, ca or signature check failed
This is an error that tells you that the certificate could not be verified properly. This can occur for example if you are using an MD5 signed certificate. With such a type of certificate, the security level is so low, that the authenticity of the certificate simply cannot by any reasonable means be assured. In other words, it could very well be a fake certificate. The solution is to use a certificate not signed with MD5, but with SHA256 or better. You can find more information in the MD5 signature algorithm support section.

digest_error: NONE: not usable
This can occur if you specify auth none and also tls-auth in your client profile. This occurs because tls-auth needs an auth digest, but none was specified. There's a straightforward fix: just remove the tls-auth directive, since it can't be enabled anyway unless you have anything other but 'none' in the auth directive.

SSL - Processing of the ServerKeyExchange handshake message failed
There's a good chance this may be related to using older versions of OpenVPN/OpenSSL on the server side. Some users have solved this issue by updating their OpenVPN and/or OpenSSL software on the server side.

BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
This is usually remedied by going to the OpenVPN Preferences menu and selecting "Force AES-CBC ciphersuites".

There are more general OpenVPN client connectivity error messages and solutions available.