OpenVPN fails at this error
Thu Jun 13 10:27:52 2019 us=490780 ###.###.###.###:52064 Incoming Ciphertext -> TLS
Thu Jun 13 10:27:52 2019 us=491055 ###.###.###.###:52064 VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=client
Thu Jun 13 10:27:52 2019 us=491111 ###.###.###.###:52064 SSL alert (write): fatal: unsupported certificate
(more of the log on https://pastebin.com/qjY83e7G )
Server config
#server
port 443
proto tcp
dev tap0
ca /etc/openvpn/ca.crt
cert /etc/openvpn/issued/server.crt
key /etc/openvpn/private/server.key
dh /etc/openvpn/dh.pem
server 10.98.0.0 255.255.0.0
ifconfig-pool-persist /etc/openvpn/ipp.txt
keepalive 10 120
tls-server
tls-auth /etc/openvpn/ta.key 0
cipher AES-256-CBC
comp-lzo
#user nobody
#group nobody
persist-key
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 9
explicit-exit-notify 0
auth sha512
remote-cert-tls client
duplicate-cn
Client config
client
dev tap0
proto tcp
remote ########
resolv-retry infinite
#nobind
comp-lzo
persist-key
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 9
key-direction 1
cipher AES-256-CBC
auth sha512
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client.crt
key /etc/openvpn/client.key
dh /etc/openvpn/dh.pem
tls-client
tls-auth /etc/openvpn/ta.key 1
remote-cert-tls server
#script-security 2
#up /zpi/onVpnUp.sh
Googling the error led me to this EasyRSA vars setting
# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default
# is "no" to discourage use of deprecated extensions. If you require this
# feature to use with --ns-cert-type, set this to "yes" here. This support
# should be replaced with the more modern --remote-cert-tls feature. If you do
# not use --ns-cert-type in your configs, it is safe (and recommended) to leave
# this defined to "no". When set to "yes", server-signed certs get the
# nsCertType=server attribute, and also get any NS_COMMENT defined below in the
# nsComment field.
#set_var EASYRSA_NS_SUPPORT "no"
But reading the comment, it should be set 'yes' only when using ns-cert-type
(which I don't have in my config), not when using remote-cert-tls
(which I do)
Where am I wrong?
edit: Tried recalculating certificate files with EASYRSA_NS_SUPPORT and I am still getting this error.