VERIFY ERROR: depth=0, error=unable to get local issuer certificate

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
oliwel
OpenVpn Newbie
Posts: 12
Joined: Wed Jul 03, 2013 7:41 am

VERIFY ERROR: depth=0, error=unable to get local issuer certificate

Post by oliwel » Thu May 04, 2017 1:23 pm

Hi All,

I am running a OpenVPN Server with a two level PKI where the Server and Client certificates come from different CAs:

Code: Select all

       
          Root CA
     |                  |
ServerCA        UserCA   
     |                  |
Server Cert  Client Cert
All is fine using OpenVPN Windows/Linux clients but I am unable to connect using the App neither on Android nor on iOS. I use an embeded ovpn config file that has all three CA certs and the client cert/key, it works flawlessly on the "fat" client. I am pretty sure about the content of the certificate items, if I extract them I can validate the client using openssl and as said it works on the fat client! The log file of the client shows that the server certificate is verified, after that I just see it running into connection timeout.

The keys are all RSA 2048, certs are all signed with SHA256 in case it matters.

This is what the ovpn file looks like:

Code: Select all

remote vpn-entry-01.acme-company.nowhere
remote-cert-tls server
client
proto udp
dev tun
comp-lzo
verb 5

<ca>
-----BEGIN CERTIFICATE----- 
Root CA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Server CA, issued by RootCA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
User CA, issued by RootCA
</ca>

<cert> 
-----BEGIN CERTIFICATE----- 
The clients certificate, issued by User CA above
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN RSA PRIVATE KEY-----
Clients Key, I tried it with or without password
-----END RSA PRIVATE KEY-----
</key>
Server.log

Code: Select all

VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=DE, DC=Acme, DC=VPN User, DC=External, CN=test.user@acme.com:phone
TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: VERIFY ERROR: depth=0, error=unable to get local issuer certificate

Post by TinCanTech » Thu May 04, 2017 2:00 pm

Not being sure what you have done to your PKI, please see this:
https://community.openvpn.net/openvpn/w ... ate_Chains

I am lead to believe that Android and iOS OpenVPN Apps support chains.

zFsyFakxEA
OpenVpn Newbie
Posts: 2
Joined: Sat Apr 29, 2017 2:33 pm

Re: VERIFY ERROR: depth=0, error=unable to get local issuer certificate

Post by zFsyFakxEA » Fri May 05, 2017 10:10 pm

It does support chains. A bit. Or at least older chains. The included PolarSSl Version has a bug concerning new, stronger encryption schemes. Same problem is described in my post: viewtopic.php?f=33&t=24003

eidt: my fault. at closer examination, this seems to be a different problem

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: VERIFY ERROR: depth=0, error=unable to get local issuer certificate

Post by TiTex » Sat May 06, 2017 6:57 am

oliwel wrote:Hi All,

I am running a OpenVPN Server with a two level PKI where the Server and Client certificates come from different CAs:

Code: Select all

       
          Root CA
     |                  |
ServerCA        UserCA   
     |                  |
Server Cert  Client Cert
client conf sould contain

Code: Select all

...
<ca>
-----BEGIN CERTIFICATE-----
Server CA, issued by RootCA (the CA which signed the server cert)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- 
Root CA
-----END CERTIFICATE-----
</ca>
...
server conf sould have

Code: Select all

...
<ca>
-----BEGIN CERTIFICATE-----
User CA, issued by RootCA (the CA which signed clients certs)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- 
Root CA
-----END CERTIFICATE-----
</ca>
...
a chain always starts with the leaf cert , the most specific ... so server/client cert , intermediate ca's , root ca's
in this case , the server has to trust the user cert , and client has to trust the server cert... in some cases you can get away with just the root CA , not sure if it's the same with openvpn.

Post Reply