Hi, I am trying to use ocserv with a letsencrypt cert, however I get the following error when trying to access it via https. It works just fine with self-signed certs. OS is CentOS7 with ocserv from EPEL, for versions check below. This is my config: [root at ocserv-vpn-test ~]# cat /etc/ocserv/ocserv.conf auth = "plain[passwd=/etc/ocserv/ocpasswd]" server-cert = /etc/letsencrypt/live/ocservtest.$DOMAIN/fullchain.pem server-key = /etc/letsencrypt/live/ocservtest.$DOMAIN/privkey.pem tcp-port = 443 udp-port = 443 dns = 8.8.8.8 dns = 8.8.4.4 try-mtu-discovery = true cisco-client-compat = true socket-file = ocserv.sock device = vpns ipv4-network = 192.168.1.0/24 This is what happens: [root at ocserv-vpn-test ~]# ocserv --config=/etc/ocserv/ocserv.conf -f -d 1 Setting 'plain' as primary authentication method Setting 'file' as supplemental config option listening (TCP) on 0.0.0.0:443... listening (TCP) on [::]:443... listening (UDP) on 0.0.0.0:443... listening (UDP) on [::]:443... ocserv[16784]: main: not using control unix socket ocserv[16784]: main: initialized ocserv 0.11.4 ocserv[16785]: sec-mod: reading supplemental config from files ocserv[16785]: sec-mod: sec-mod initialized (socket: ocserv.sock.16784) ocserv: symbol lookup error: /lib64/libhogweed.so.2: undefined symbol: __gmpn_cnd_add_n ocserv[16784]: main: $IP:47952 user disconnected (reason: unspecified, rx: 0, tx: 0) Selinux is permissive. [root at ocserv-vpn-test ~]# rpm -qi nettle gmp ocserv Name : nettle Version : 2.7.1 Release : 4.el7 Architecture: x86_64 Install Date: Mon 12 Sep 2016 11:52:52 GMT Group : Development/Libraries Size : 764914 License : LGPLv2+ Signature : RSA/SHA256, Sat 14 Mar 2015 08:19:20 GMT, Key ID 24c6a8a7f4a80eb5 Source RPM : nettle-2.7.1-4.el7.src.rpm Build Date : Fri 06 Mar 2015 04:10:21 GMT Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://www.lysator.liu.se/~nisse/nettle/ Summary : A low-level cryptographic library Description : Nettle is a cryptographic library that is designed to fit easily in more or less any context: In crypto toolkits for object-oriented languages (C++, Python, Pike, ...), in applications like LSH or GNUPG, or even in kernel space. Name : gmp Epoch : 1 Version : 5.1.1 Release : 5.el7 Architecture: x86_64 Install Date: Tue 07 Oct 2014 08:57:55 GMT Group : System Environment/Libraries Size : 591695 License : LGPLv3+ Signature : RSA/SHA256, Fri 04 Jul 2014 01:35:49 GMT, Key ID 24c6a8a7f4a80eb5 Source RPM : gmp-5.1.1-5.el7.src.rpm Build Date : Mon 09 Jun 2014 20:18:57 GMT Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://gmplib.org/ Summary : A GNU arbitrary precision library Description : The gmp package contains GNU MP, a library for arbitrary precision arithmetic, signed integers operations, rational numbers and floating point numbers. GNU MP is designed for speed, for both small and very large operands. GNU MP is fast because it uses fullwords as the basic arithmetic type, it uses fast algorithms, it carefully optimizes assembly code for many CPUs' most common inner loops, and it generally emphasizes speed over simplicity/elegance in its operations. Install the gmp package if you need a fast arbitrary precision library. Name : ocserv Version : 0.11.4 Release : 1.el7 Architecture: x86_64 Install Date: Mon 12 Sep 2016 11:53:32 GMT Group : Unspecified Size : 1143904 License : GPLv2+ and BSD and MIT and CC0 Signature : RSA/SHA256, Fri 05 Aug 2016 12:35:10 GMT, Key ID 6a2faea2352c64e5 Source RPM : ocserv-0.11.4-1.el7.src.rpm Build Date : Fri 05 Aug 2016 11:32:44 GMT Build Host : buildvm-19.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://www.infradead.org/ocserv/ Summary : OpenConnect SSL VPN server Description : OpenConnect server (ocserv) is an SSL VPN server. Its purpose is to be a secure, small, fast and configurable VPN server. It implements the OpenConnect SSL VPN protocol, and has also (currently experimental) compatibility with clients using the AnyConnect SSL VPN protocol. The OpenConnect VPN protocol uses the standard IETF security protocols such as TLS 1.2, and Datagram TLS to provide the secure VPN service. -- Sent from the Delta quadrant using Borg technology! Nux! www.nux.ro
