Client install not working- errors

[dthommail]

So I followed directions from Liquid Web to install OpenVPN on my server and laptop. The server host install seems OK but I am stuck trying to get the laptop client working. When I run # openvpn /etc/openvpn/client.conf this is the error message I get.

Thu Oct 15 20:16:50 2015 OpenVPN 2.3.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug 4 2015
Thu Oct 15 20:16:50 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Thu Oct 15 20:16:50 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Thu Oct 15 20:16:50 2015 Cannot load certificate file /etc/openvpn/easy-rsa/keys/client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Thu Oct 15 20:16:50 2015 Exiting due to fatal error

Where do I go from here?

Running Linux CentOS 7 on both.

[Traffic]

Cannot load certificate file /etc/openvpn/easy-rsa/keys/client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib

This suggests there is something wrong with your client.crt

Did you use easy-rsa to create your PKI ?

[dthommail]

Yes, I used easy-rsa. Any assistance you can offer would be greatly appreciated.

[dthommail]

Yes, I used easy-rsa.

[Traffic]

Cannot load certificate file /etc/openvpn/easy-rsa/keys/client.crt <..> no start line:

Look in that file for this sort of thing:

Code: Select all

Certificate:
    Data:
        Version: <..>
        Serial Number: <..>
    Signature Algorithm: <..>
        Issuer: <..>
        Validity
            Not Before: <..>
            Not After : <..>
        Subject: <..>
        Subject Public Key Info:
            Public Key Algorithm: <..>
                Public-Key: (x bit)
                pub: 
                   <..>
                ASN1 OID: <..>
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                <..>
            X509v3 Authority Key Identifier: 
                keyid:<..>
                DirName:<..>
                serial: <..>

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
    Signature Algorithm: 
<..>

-----BEGIN CERTIFICATE-----
<..>
-----END CERTIFICATE-----

[dthommail]

It follows your example up to Public-Key. The next line is Modulus: and then a whole bunch of hex number separated by colons and then "client.crt" 96L, 5488C.

[Traffic]

Yes, I used easy-rsa.

Did you create the cert with a password or without ?

< ./easyrsa build-key > or < ./easyrsa build-client-full > will, by default, encrypt with a password .. use the nopass option to over-ride.

[dthommail]

I used:

cd /etc/openvpn/easy-rsa
./build-key client

where client is the name I use for the client machine since there is only one right now. I did not see an option for passwords at all.

[dthommail]

These are the instruction I used.

https://www.digitalocean.com/community/ ... n-centos-7

[Traffic]

I used:

cd /etc/openvpn/easy-rsa
./build-key client

This means your client cert has been created with a password.

[dthommail]

Should I delete the old cert and create a new one? What is the password for?

[Traffic]

Should I delete the old cert and create a new one?

Can you remember the password ?

What is the password for?

To encrypt your cert/key allowing a questionable * layer of security ..

• questionable * : Because a lot of people then store the password in plain text ..

EasyRSA Guide:
https://community.openvpn.net/openvpn/wiki/EasyRSA

[dthommail]

I don't remember the password or being prompted to make one.