Trying to install profile sent by email and get this error on iPhone running 9.3.5. and OpenVPN v1.0.7 build 199.
PolarSSL : error parsing ca certificate : X509 - The certificate format is invalid, e.g. different type expected
This same profile works fine if importing by iTunes.
Anyone have any clues?
Here is the full log..,
Thanks in advance for any help.
2016-10-13 16:32:30 ----- OpenVPN Start -----
OpenVPN core 3.0.11 ios arm64 64-bit built on Apr 15 2016 14:13:50
2016-10-13 16:32:30 Frame=512/2048/512 mssfix-ctrl=1250
2016-10-13 16:32:30 EVENT: CORE_ERROR PolarSSL: error parsing ca certificate : X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected [ERR]
2016-10-13 16:32:30 Raw stats on disconnect:
2016-10-13 16:32:30 Performance stats on disconnect:
CPU usage (microseconds): 2433
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0
2016-10-13 16:32:30 EVENT: DISCONNECT_PENDING
2016-10-13 16:32:30 ----- OpenVPN Stop -----
[Solved] PolarSSL The certificate format is invalid, e.g. different type expected
-
- OpenVpn Newbie
- Posts: 4
- Joined: Thu Oct 13, 2016 8:42 pm
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: PolarSSL The certificate format is invalid, e.g. different type expected
What is in the profile ?
-
- OpenVpn Newbie
- Posts: 4
- Joined: Thu Oct 13, 2016 8:42 pm
Re: PolarSSL The certificate format is invalid, e.g. different type expected
The iphone.ovpn file and a ca.crt. The xxx's represent the dns name which are removed for this public post. Here is the contents of the .ovpn file.
Thanks for your thoughts TinCanTech.
dev tun
client
resolv-retry infinite
nobind
remote xxx.xxx.com 1195 udp
remote xxx.xxx.com 443 tcp
tls-client
ns-cert-type server
ca ca.crt
comp-lzo
persist-key
persist-tun
verb 3
auth-user-pass
Thanks for your thoughts TinCanTech.
dev tun
client
resolv-retry infinite
nobind
remote xxx.xxx.com 1195 udp
remote xxx.xxx.com 443 tcp
tls-client
ns-cert-type server
ca ca.crt
comp-lzo
persist-key
persist-tun
verb 3
auth-user-pass
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: PolarSSL The certificate format is invalid, e.g. different type expected
Remove --ns-cert-type server and try again.
-
- OpenVpn Newbie
- Posts: 4
- Joined: Thu Oct 13, 2016 8:42 pm
Re: PolarSSL The certificate format is invalid, e.g. different type expected
At this point I'm a bit mixed up, especially now that I have so many different test files. So, I just restarted from scratch and let me restate....
If I import through iTunes it works fine when the file is a package called iphone.ovpn containing the .ovpn file and the ca.crt. Here is what is in the .ovpn and I just removed the ns-cert-type server and verified it still works.
dev tun
client
resolv-retry infinite
nobind
remote xxx.xxx.com 1195 udp
remote xxx.xxx.com 443 tcp
tls-client
ca ca.crt
comp-lzo
persist-key
persist-tun
verb 3
auth-user-pass
When I sent that by email it wouldn't even import into the OpenVPN app. All I see after clicking on the email attachment is iphone.ovpn OpenVPN Profile 192 bytes and swipe left I see ca.crt certificate (x.509) 1kb
So, my first question now is what is the proper way to email? What I've been trying is...Creating a single file and emailing which then gave me the option to import into OpenVPN profile. But I still get the original error.... PolarSSL The certificate format is invalid, e.g. different type expected.
Thanks for your help!
If I import through iTunes it works fine when the file is a package called iphone.ovpn containing the .ovpn file and the ca.crt. Here is what is in the .ovpn and I just removed the ns-cert-type server and verified it still works.
dev tun
client
resolv-retry infinite
nobind
remote xxx.xxx.com 1195 udp
remote xxx.xxx.com 443 tcp
tls-client
ca ca.crt
comp-lzo
persist-key
persist-tun
verb 3
auth-user-pass
When I sent that by email it wouldn't even import into the OpenVPN app. All I see after clicking on the email attachment is iphone.ovpn OpenVPN Profile 192 bytes and swipe left I see ca.crt certificate (x.509) 1kb
So, my first question now is what is the proper way to email? What I've been trying is...Creating a single file and emailing which then gave me the option to import into OpenVPN profile. But I still get the original error.... PolarSSL The certificate format is invalid, e.g. different type expected.
Thanks for your help!
client
dev tun
client
resolv-retry infinite
nobind
remote xxx.xxx.com 1195 udp
remote xxx.xxx.com 443 tcp
tls-client
comp-lzo
persist-key
persist-tun
verb 3
auth-user-pass
<ca>
----BEGIN CERTIFICATE-----
MIIDyDCCAzGgAwIBAgIJAOK+fV7fRe19MA0GCSqGSIb3DQEBBQUAMIGfMQswCQYD
VQQGEwJBVDELMAkGA1UECBMCV0kxDzANBgNVBAcTBlZpZW5uYTETMBEGA1UEChMK
Qm9uam91clZQTjERMA8GA1UECxMIU2VjdXJpdHkxEzARBgNVBAMTCmJvbmpvdXIt
Y2ExEzARBgNVBCkTCmJvbmpvdXItY2ExIDAeBgkqhkiG9w0BCQEWEXZwbkBib25q
b3VyLmxvY2FsMB4XDTE0MDIyMTA4MjAxOFoXDTI0MDIxOTA4MjAxOFowgZ8xCzAJ
BgNVBAYTAkFUMQswCQYDVQQIEwJXSTEPMA0GA1UEBxMGVmllbm5hMRMwEQYDVQQK
EwpCb25qb3VyVlBOMREwDwYDVQQLEwhTZWN1cml0eTETMBEGA1UEAxMKYm9uam91
ci1jYTETMBEGA1UEKRMKYm9uam91ci1jYTEgMB4GCSqGSIb3DQEJARYRdnBuQGJv
bmpvdXIubG9jYWwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALCRld9lo++2
mFdZbo7nIViM9NW+Vvfyh+3qWZCbRGEcsB8AGU4k7lg5p7MHjcnSMkjbgOnsLkaL
bYhtU3TxpVbmT3S4tOmbuV09pcUG/I2lCh8LokqI3ctuInLzWaQBxg+7eQ3kLLZh
w3UJKolUmwG/MJC830IbOGUHux856tj3AgMBAAGjggEIMIIBBDAdBgNVHQ4EFgQU
KPh5K13jX9XH+kWDS2LYbriowlUwgdQGA1UdIwSBzDCByYAUKPh5K13jX9XH+kWD
S2LYbriowlWhgaWkgaIwgZ8xCzAJBgNVBAYTAkFUMQswCQYDVQQIEwJXSTEPMA0G
A1UEBxMGVmllbm5hMRMwEQYDVQQKEwpCb25qb3VyVlBOMREwDwYDVQQLEwhTZWN1
cml0eTETMBEGA1UEAxMKYm9uam91ci1jYTETMBEGA1UEKRMKYm9uam91ci1jYTEg
MB4GCSqGSIb3DQEJARYRdnBuQGJvbmpvdXIubG9jYWyCCQDivn1e30XtfTAMBgNV
HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAJDx+DLbiCP3GM/6Gd4Ih0aQzWsz
CDjjcLEdTcEExM8Fn/rqrgEmE6jrtNXn4kKE2Y/Qk4Jud1PGEiXmEoKRTiZTY7m1
RBG8ZHoVWk6Pz2ZUeCT7rpxsspdXPyPt0vAFCPHs5v1RYyu4lkgHJ0N68ih7n831
E8Hc3CAbda1wAzW6
-----END CERTIFICATE-----
</ca>
client
resolv-retry infinite
nobind
remote xxx.xxx.com 1195 udp
remote xxx.xxx.com 443 tcp
tls-client
comp-lzo
persist-key
persist-tun
verb 3
auth-user-pass
<ca>
----BEGIN CERTIFICATE-----
MIIDyDCCAzGgAwIBAgIJAOK+fV7fRe19MA0GCSqGSIb3DQEBBQUAMIGfMQswCQYD
VQQGEwJBVDELMAkGA1UECBMCV0kxDzANBgNVBAcTBlZpZW5uYTETMBEGA1UEChMK
Qm9uam91clZQTjERMA8GA1UECxMIU2VjdXJpdHkxEzARBgNVBAMTCmJvbmpvdXIt
Y2ExEzARBgNVBCkTCmJvbmpvdXItY2ExIDAeBgkqhkiG9w0BCQEWEXZwbkBib25q
b3VyLmxvY2FsMB4XDTE0MDIyMTA4MjAxOFoXDTI0MDIxOTA4MjAxOFowgZ8xCzAJ
BgNVBAYTAkFUMQswCQYDVQQIEwJXSTEPMA0GA1UEBxMGVmllbm5hMRMwEQYDVQQK
EwpCb25qb3VyVlBOMREwDwYDVQQLEwhTZWN1cml0eTETMBEGA1UEAxMKYm9uam91
ci1jYTETMBEGA1UEKRMKYm9uam91ci1jYTEgMB4GCSqGSIb3DQEJARYRdnBuQGJv
bmpvdXIubG9jYWwwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALCRld9lo++2
mFdZbo7nIViM9NW+Vvfyh+3qWZCbRGEcsB8AGU4k7lg5p7MHjcnSMkjbgOnsLkaL
bYhtU3TxpVbmT3S4tOmbuV09pcUG/I2lCh8LokqI3ctuInLzWaQBxg+7eQ3kLLZh
w3UJKolUmwG/MJC830IbOGUHux856tj3AgMBAAGjggEIMIIBBDAdBgNVHQ4EFgQU
KPh5K13jX9XH+kWDS2LYbriowlUwgdQGA1UdIwSBzDCByYAUKPh5K13jX9XH+kWD
S2LYbriowlWhgaWkgaIwgZ8xCzAJBgNVBAYTAkFUMQswCQYDVQQIEwJXSTEPMA0G
A1UEBxMGVmllbm5hMRMwEQYDVQQKEwpCb25qb3VyVlBOMREwDwYDVQQLEwhTZWN1
cml0eTETMBEGA1UEAxMKYm9uam91ci1jYTETMBEGA1UEKRMKYm9uam91ci1jYTEg
MB4GCSqGSIb3DQEJARYRdnBuQGJvbmpvdXIubG9jYWyCCQDivn1e30XtfTAMBgNV
HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4GBAJDx+DLbiCP3GM/6Gd4Ih0aQzWsz
CDjjcLEdTcEExM8Fn/rqrgEmE6jrtNXn4kKE2Y/Qk4Jud1PGEiXmEoKRTiZTY7m1
RBG8ZHoVWk6Pz2ZUeCT7rpxsspdXPyPt0vAFCPHs5v1RYyu4lkgHJ0N68ih7n831
E8Hc3CAbda1wAzW6
-----END CERTIFICATE-----
</ca>
-
- OpenVpn Newbie
- Posts: 4
- Joined: Thu Oct 13, 2016 8:42 pm
Re: PolarSSL The certificate format is invalid, e.g. different type expected
We got it working by telling IOS not to look for a profile ssl cert in the config because we don't use that. We use the username/password combo instead.
Everything fine now.
Everything fine now.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: PolarSSL The certificate format is invalid, e.g. different type expected
Thanks for letting us know your solution