config for chained ca - subca - TLS_error

Scripts to manage certificates or generate config files
Nicolas Jungers
OpenVpn Newbie
Posts: 4
Joined: Wed Aug 02, 2017 9:36 am

config for chained ca - subca - TLS_error

Postby Nicolas Jungers » Wed Aug 02, 2017 11:57 am

After switching to easyrsa v3 I went for a full CA - subCA setting. I've read https://community.openvpn.net/openvpn/w ... ate_Chains and did the following setup
root-CA
+ sub-CA1
| + SSL server certificate
| + SSL client certificate

It's slightly different from the one described in the linked page.
Consider the following CA setup:

  • the 'root CA' certificate is 'ca.crt'
  • the server certificate is signed by the root CA
  • a separate sub-CA or intermediary CA is created, which is also signed by the root CA
  • the client certificates are signed by the sub-CA.


The setup I did sign the server cert with the subCA instead of the CA, allowing the complete removal of the CA from the usual operations.

serverconfig
ca keys/subCA.crt
cert keys/server.crt
key keys/server.key



clientconfig
ca keys/CA.crt
cert keys/client+subCA.chained.crt
key keys/client.key


The error is:

Code: Select all

[10876]: TLS: Initial packet from [AF_INET]95.131.251.177:1194, sid=b0af5ece 27876b7a
[10876]: VERIFY OK: depth=2, CN=CA CA
[10876]: VERIFY OK: depth=1, CN=subCA subCA
[10876]: VERIFY nsCertType ERROR: CN=servername, require nsCertType=SERVER
[10876]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
[10876]: TLS Error: TLS object -> incoming plaintext read error
[10876]: TLS Error: TLS handshake failed


The easyrsa sign was done using the server type and a verification gives :

Code: Select all

openssl x509 -in server.crt -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1 (0x1)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=//subCA// subCA
        Validity
            Not Before: Aug  1 16:21:03 2017 GMT
            Not After : Jul 30 16:21:03 2027 GMT
        Subject: CN=//server//
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
(snip)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                C9:68:3A:EA:68:2F:E4:0E:49:C1:B0:BC:73:6C:E7:B2:45:58:AA:F5
            X509v3 Authority Key Identifier:
                keyid:67:32:A1:68:29:8A:0D:AB:1A:EE:B0:3D:8A:8E:BB:5B:21:E5:24:66
                DirName:/CN=//My// CA
                serial:01

            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption
(snip)


If in the client I change the setting to:

Code: Select all

ca keys/sub+ca.chained.crt
cert keys/client.crt
key keys/client.key


The error message stay the same.

Code: Select all

[12583]: VERIFY OK: depth=2, CN=CA CA
[12583]: VERIFY OK: depth=1, CN=subCA subCA
[12583]: VERIFY nsCertType ERROR: CN=servername, require nsCertType=SERVER
[12583]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed


Various

Code: Select all

openssl verify -CAfile
doesn't show any problem.

Any idea of what could be wrong?

Nicolas

Nicolas Jungers
OpenVpn Newbie
Posts: 4
Joined: Wed Aug 02, 2017 9:36 am

Re: config for chained ca - subca - TLS_error

Postby Nicolas Jungers » Wed Aug 02, 2017 1:08 pm

Small addendum, the versions:

server version
openvpn --version
OpenVPN 2.3.6 x86_64-sun-solaris2.11 [SSL (OpenSSL)] [LZO] [IPv6] built on Jan 27 2017
library versions: OpenSSL 1.0.2e 3 Dec 2015, LZO 2.09


client version
openvpn --version
OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 22 2017
library versions: OpenSSL 1.0.2g 1 Mar 2016, LZO 2.08

Nicolas Jungers
OpenVpn Newbie
Posts: 4
Joined: Wed Aug 02, 2017 9:36 am

[solved] Re: config for chained ca - subca - TLS_error

Postby Nicolas Jungers » Thu Aug 03, 2017 1:44 pm

The issue was the config option
client
ns-cert-type server

and was not related to definition of the cert as a server type cert when signing but to the "Netscape" extensions in vars. That is deprecated and default to "no" in easyrsa v3.x


Return to “Cert / Config management”

Who is online

Users browsing this forum: No registered users and 1 guest