Certificate Signature Failure -- Config files run okay via OpenVPN on my PC

[Dwathle]

Hi, Folks --

The following LogFile extract indicates a "certificate signature failure" when executed via the "OpenVPN Settings" app on Android. The same configuration files (with Win-style paths) work correctly when executed via OpenVPN on my PC. Web searches show that my HTC EVO 4G can/should run OpenVPN Settings under CyanogenMod-7 without any problem. Does anybody know how to fix this?


Wed Feb 10 04:01:27 2016 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Feb 10 04:01:27 2016 LZO compression initialized
Wed Feb 10 04:01:27 2016 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Feb 10 04:01:27 2016 RESOLVE: NOTE: us-california.privateinternetaccess.com resolves to 13 addresses, choosing one by random
Wed Feb 10 04:01:27 2016 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Feb 10 04:01:27 2016 Local Options hash (VER=V4): '41690919'
Wed Feb 10 04:01:27 2016 Expected Remote Options hash (VER=V4): '530fdded'
Wed Feb 10 04:01:27 2016 Socket Buffers: R=[112640->131072] S=[112640->131072]
Wed Feb 10 04:01:27 2016 UDPv4 link local: [undef]
Wed Feb 10 04:01:27 2016 UDPv4 link remote: 198.8.80.184:1194
Wed Feb 10 04:01:27 2016 MANAGEMENT: Client connected from 127.0.0.1:44770
Wed Feb 10 04:01:27 2016 MANAGEMENT: CMD 'state'
Wed Feb 10 04:01:27 2016 MANAGEMENT: CMD 'state on'
Wed Feb 10 04:01:27 2016 MANAGEMENT: CMD 'bytecount 0'
Wed Feb 10 04:01:27 2016 MANAGEMENT: >STATE:1455102087,AUTH,,,
Wed Feb 10 04:01:27 2016 TLS: Initial packet from 198.8.80.184:1194, sid=04433bd1 c78dcbc4
Wed Feb 10 04:01:27 2016 MANAGEMENT: CMD 'bytecount 0'
Wed Feb 10 04:01:27 2016 CRL CHECK OK: /C=US/ST=OH/L=Columbus/O=Private_Internet_Access/CN=Private_Internet_Access_CA/emailAddress=sec...@privateinternetaccess.com
Wed Feb 10 04:01:27 2016 VERIFY OK: depth=1, /C=US/ST=OH/L=Columbus/O=Private_Internet_Access/CN=Private_Internet_Access_CA/emailAddress=sec...@privateinternetaccess.com
Wed Feb 10 04:01:27 2016 VERIFY ERROR: depth=0, error=certificate signature failure: /C=US/ST=CA/L=LosAngeles/O=Private_Internet_Access/OU=Private_Internet_Access/CN=Private_Internet_Access/name=Private_Internet_Access/emailAddress=sec...@privateinternetaccess.com
Wed Feb 10 04:01:27 2016 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Feb 10 04:01:27 2016 TLS Error: TLS object -> incoming plaintext read error
Wed Feb 10 04:01:27 2016 TLS Error: TLS handshake failed
Wed Feb 10 04:01:27 2016 TCP/UDP: Closing socket

[Dwathle]

I informed PIA technical support about the problem -- twice. Their responses stated that Private Internet Access (PIA) does not support rooted/custom devices. More importantly, the second response also stated: "In the case of OpenVPN, we cannot guarantee our certificate is compatible with your device." What?!! Since when are OpenVPN certificates device specific?  In any case, I am now assuming that PIA's device-specific certicate is causing the failure.  I will purchase a trial subscription to another VPN service to verify this presumption, and then report back. 

If anybody has any ideas/suggestions, please let me know.  Thank you!

On Wednesday, February 10, 2016 at 5:23:38 AM UTC-7, Dwathle wrote:

Hi, Folks --

The following LogFile extract indicates a "certificate signature failure" when executed via the "OpenVPN Settings" app on Android. The same configuration files (with Win-style paths) work correctly when executed via OpenVPN on my PC. Web searches show that my HTC EVO 4G can/should run OpenVPN Settings under CyanogenMod-7 without any problem. Does anybody know how to fix this?


Wed Feb 10 04:01:27 2016 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Wed Feb 10 04:01:27 2016 LZO compression initialized
Wed Feb 10 04:01:27 2016 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Wed Feb 10 04:01:27 2016 RESOLVE: NOTE: us-california.privateinternetaccess.com resolves to 13 addresses, choosing one by random
Wed Feb 10 04:01:27 2016 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Feb 10 04:01:27 2016 Local Options hash (VER=V4): '41690919'
Wed Feb 10 04:01:27 2016 Expected Remote Options hash (VER=V4): '530fdded'
Wed Feb 10 04:01:27 2016 Socket Buffers: R=[112640->131072] S=[112640->131072]
Wed Feb 10 04:01:27 2016 UDPv4 link local: [undef]
Wed Feb 10 04:01:27 2016 UDPv4 link remote: 198.8.80.184:1194
Wed Feb 10 04:01:27 2016 MANAGEMENT: Client connected from 127.0.0.1:44770
Wed Feb 10 04:01:27 2016 MANAGEMENT: CMD 'state'
Wed Feb 10 04:01:27 2016 MANAGEMENT: CMD 'state on'
Wed Feb 10 04:01:27 2016 MANAGEMENT: CMD 'bytecount 0'
Wed Feb 10 04:01:27 2016 MANAGEMENT: >STATE:1455102087,AUTH,,,
Wed Feb 10 04:01:27 2016 TLS: Initial packet from 198.8.80.184:1194, sid=04433bd1 c78dcbc4
Wed Feb 10 04:01:27 2016 MANAGEMENT: CMD 'bytecount 0'

Wed Feb 10 04:01:27 2016 CRL CHECK OK: /C=US/ST=OH/L=Columbus/O=Private_Internet_Access/CN=Private_Internet_Access_CA/emailAddress=secure@privateinternetaccess.com
Wed Feb 10 04:01:27 2016 VERIFY OK: depth=1, /C=US/ST=OH/L=Columbus/O=Private_Internet_Access/CN=Private_Internet_Access_CA/emailAddress=secure@privateinternetaccess.com
Wed Feb 10 04:01:27 2016 VERIFY ERROR: depth=0, error=certificate signature failure: /C=US/ST=CA/L=LosAngeles/O=Private_Internet_Access/OU=Private_Internet_Access/CN=Private_Internet_Access/name=Private_Internet_Access/emailAddress=secure@privateinternetaccess.com