OpenVPN doesn't work, cert error

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
eliaspizarro
OpenVpn Newbie
Posts: 1
Joined: Mon Jun 05, 2017 8:08 pm

OpenVPN doesn't work, cert error

Post by eliaspizarro » Mon Jun 05, 2017 8:14 pm

I've a file autogenerated by Untangle, this zip contains ovpn, cert.ca, ca and key. Those files works in windows and some linux machines (olds), but i can't setup in my router (LEDE with OpenVPN)

Error:

Code: Select all

Mon Jun  5 13:25:19 2017 daemon.err openvpn(CostaBrothers)[13235]: Certificate does not have key usage extension
Mon Jun  5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: VERIFY KU ERROR
Mon Jun  5 13:25:19 2017 daemon.err openvpn(CostaBrothers)[13235]: OpenSSL: error:14090086:lib(20):func(144):reason(134)
Mon Jun  5 13:25:19 2017 daemon.err openvpn(CostaBrothers)[13235]: TLS_ERROR: BIO read tls_read_plaintext error
Mon Jun  5 13:25:19 2017 daemon.err openvpn(CostaBrothers)[13235]: TLS Error: TLS object -> incoming plaintext read error
Mon Jun  5 13:25:19 2017 daemon.err openvpn(CostaBrothers)[13235]: TLS Error: TLS handshake failed
Client Version

Code: Select all

root@LEDE:/etc/config# openvpn --version
OpenVPN 2.4.2 arm-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.10
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
The configuration it's working on tomato:

Image
Image
Image

Files from OpenVPN Server:

Intelliholding-Aguilucho.ovpn:

Code: Select all

client
resolv-retry 20
keepalive 10 60
nobind
mute-replay-warnings
ns-cert-type server
comp-lzo
max-routes 500
verb 1
persist-key
persist-tun
explicit-exit-notify 1
dev tun
proto udp
port 1194
cipher AES-128-CBC
cert keys/Intelliholding-Aguilucho-epizarro.crt
key keys/Intelliholding-Aguilucho-epizarro.key
ca keys/Intelliholding-Aguilucho-epizarro-ca.crt
remote xxx.xxx.xxx.xxx 1194 # public address 
remote xxx.xxx.xxx.xxx 1194 # static WAN 1
Intelliholding-Aguilucho-epizarro.crt

Code: Select all

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 848396178 (0x32917f92)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: CN=certificateAuthority, C=CO, ST=ST, L=L, O=O, OU=OU/dnQualifier=certificateAuthority
        Validity
            Not Before: Feb  9 21:47:00 2015 GMT
            Not After : Feb  6 21:47:00 2025 GMT
        Subject: C=CO, ST=ST, O=O, OU=OU, CN=epizarro/dnQualifier=client-epizarro
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:cb:08:75:9a:5c:3b:ae:2a:c0:ec:75:06:38:2b:
                    97:22:a2:68:b1:cb:a3:e2:69:f0:37:76:af:da:f9:
                    88:ec:8a:23:e6:c7:91:ef:8e:6c:4d:ab:87:4b:3d:
                    9d:9f:25:8a:a9:68:ee:8f:1d:1f:4e:21:66:6f:59:
                    02:af:81:30:d8:8a:c2:cc:b4:6d:0f:81:49:7b:74:
                    64:45:a2:ca:56:0c:78:14:e4:1a:24:0b:59:92:08:
                    5c:6c:08:a9:9d:15:59:ed:0f:de:4a:7c:a9:c4:79:
                    dd:21:3e:95:e1:48:e4:db:35:b1:c4:43:79:d2:29:
                    62:ba:b0:82:3b:68:76:65:cb:4f:73:59:5d:54:a9:
                    ce:12:b8:b3:d3:c0:aa:b0:e0:c6:c6:e3:73:28:e3:
                    b9:2b:65:e8:f6:93:ed:9d:96:f6:6d:6f:32:8b:03:
                    e3:42:13:43:9c:ce:1f:48:ec:0d:8b:32:2a:cb:71:
                    b4:9e:df:1b:9b:25:08:58:52:44:2b:bb:5a:92:81:
                    b0:74:66:78:4c:0e:5f:b8:1d:b1:a2:4a:df:34:89:
                    bb:2d:ad:c7:fa:c2:19:88:c0:2d:8a:50:95:9f:9b:
                    52:ae:b2:71:5a:4f:6d:d5:bd:a9:02:fd:95:4f:0a:
                    2d:bf:57:0a:0a:6d:0b:62:6f:b0:54:46:0b:9f:b2:
                    89:5b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Client
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                BF:77:04:00:5E:08:CB:D4:71:F0:FB:76:2A:16:98:91:DF:80:B6:E0
            X509v3 Authority Key Identifier: 
                keyid:8B:25:67:35:59:BD:88:D6:0A:76:38:4F:B1:64:0B:F6:C5:83:92:80
                DirName:/CN=certificateAuthority/C=CO/ST=ST/L=L/O=O/OU=OU/dnQualifier=certificateAuthority
                serial:BB:C9:7E:07:73:5D:2F:37

    Signature Algorithm: md5WithRSAEncryption
        64:6e:8f:b2:5e:f7:67:61:9c:c0:51:18:e0:62:0c:e6:86:c7:
        0c:2e:63:07:bf:70:24:af:f0:17:3e:49:25:e4:b5:2b:1d:ac:
        b3:7b:16:e6:1e:c2:42:62:46:09:08:1c:62:97:e9:2f:d7:1a:
        8e:c9:e7:e3:78:f7:a7:b2:ca:d6:42:b4:16:75:5d:21:d9:e1:
        61:43:29:d3:94:5e:00:0e:52:e2:44:5a:32:69:da:e9:7b:4f:
        12:2d:7c:ce:a6:29:67:76:0f:4e:3e:c1:b9:58:ef:b9:45:f1:
        88:d7:e5:45:0c:12:86:3f:86:19:cf:d4:e9:10:11:71:7d:8d:
        49:bc:63:0f:d5:6a:3b:40:46:b3:7d:9a:93:62:1f:7d:c8:84:
        7b:52:b6:26:1e:18:4a:e1:e2:1e:44:c5:de:86:78:16:ea:2c:
        03:86:61:19:0c:4b:52:1a:47:50:b2:35:a3:0c:02:bb:f9:cc:
        85:01:05:10:4f:9d:69:cd:bc:16:36:9c:ab:7d:e0:73:43:cb:
        2c:16:75:75:a0:0e:a3:5c:ac:92:ee:c6:c9:a4:03:0c:cd:62:
        d4:3e:ac:35:07:2a:32:93:88:d5:3e:b4:fe:c9:c8:60:0b:e7:
        5a:b4:fe:ff:54:b7:c7:6b:47:86:0d:0b:b3:6e:f1:6b:3e:68:
        bd:97:00:e8
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
From Intelliholding-Aguilucho-epizarro.crt, I trunk all except certificate (2nd attemp):

Code: Select all

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Intelliholding-Aguilucho-epizarro.key

Code: Select all

-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
Intelliholding-Aguilucho-epizarro-ca.crt

Code: Select all

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Logs from LEDE build

Code: Select all

Mon Jun  5 13:25:14 2017 daemon.err openvpn(CostaBrothers)[13235]: OpenSSL: error:14090086:lib(20):func(144):reason(134)
Mon Jun  5 13:25:14 2017 daemon.err openvpn(CostaBrothers)[13235]: TLS_ERROR: BIO read tls_read_plaintext error
Mon Jun  5 13:25:14 2017 daemon.err openvpn(CostaBrothers)[13235]: TLS Error: TLS object -> incoming plaintext read error
Mon Jun  5 13:25:14 2017 daemon.err openvpn(CostaBrothers)[13235]: TLS Error: TLS handshake failed
Mon Jun  5 13:25:14 2017 daemon.notice openvpn(CostaBrothers)[13235]: SIGUSR1[soft,tls-error] received, process restarting
Mon Jun  5 13:25:14 2017 daemon.notice openvpn(CostaBrothers)[13235]: Restart pause, 5 second(s)
Mon Jun  5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Jun  5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: Socket Buffers: R=[163840->163840] S=[163840->163840]
Mon Jun  5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: UDP link local: (not bound)
Mon Jun  5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
Mon Jun  5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: TLS: Initial packet from [AF_INET]200.75.7.65:1194, sid=778c6e0a 64ffb152
Mon Jun  5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: VERIFY OK: depth=1, CN=certificateAuthority, C=CO, ST=ST, L=L, O=O, OU=OU, dnQualifier=certificateAuthority
Mon Jun  5 13:25:19 2017 daemon.err openvpn(CostaBrothers)[13235]: Certificate does not have key usage extension
Mon Jun  5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: VERIFY KU ERROR
Mon Jun  5 13:25:19 2017 daemon.err openvpn(CostaBrothers)[13235]: OpenSSL: error:14090086:lib(20):func(144):reason(134)
Mon Jun  5 13:25:19 2017 daemon.err openvpn(CostaBrothers)[13235]: TLS_ERROR: BIO read tls_read_plaintext error
Mon Jun  5 13:25:19 2017 daemon.err openvpn(CostaBrothers)[13235]: TLS Error: TLS object -> incoming plaintext read error
Mon Jun  5 13:25:19 2017 daemon.err openvpn(CostaBrothers)[13235]: TLS Error: TLS handshake failed
Mon Jun  5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: SIGUSR1[soft,tls-error] received, process restarting
Mon Jun  5 13:25:19 2017 daemon.notice openvpn(CostaBrothers)[13235]: Restart pause, 5 second(s)
OpenVPN Conf in my LEDE router:

Code: Select all

config openvpn 'CostaBrothers'
        option float '1'
        option client '1'
        option comp_lzo 'yes'
        option dev 'tap'
        option reneg_sec '0'
        option verb '3'
        option persist_key '1'
        option nobind '1'
        list remote 'xxx.xxx.xxx.xxx'
        option key '/etc/luci-uploads/cbid.openvpn.CostaBrothers.key'
        option ca '/etc/luci-uploads/cbid.openvpn.CostaBrothers.ca'
        option cert '/etc/luci-uploads/cbid.openvpn.CostaBrothers.cert'
        option cipher 'AES-128-CBC'
        option ns_cert_type 'server'
        option proto 'udp'
        option resolv_retry '20'
        option keepalive '10 60'
        option explicit_exit_notify '1'
Supported ciphers and HMAC

Code: Select all

root@LEDE:/etc/config# openvpn --show-digests
MD5 128 bit digest size
RSA-MD5 128 bit digest size
SHA1 160 bit digest size
RSA-SHA1 160 bit digest size
DSA-SHA1-old 160 bit digest size
DSA-SHA1 160 bit digest size
RSA-SHA1-2 160 bit digest size
DSA 160 bit digest size
RIPEMD160 160 bit digest size
RSA-RIPEMD160 160 bit digest size
MD4 128 bit digest size
RSA-MD4 128 bit digest size
ecdsa-with-SHA1 160 bit digest size
RSA-SHA256 256 bit digest size
RSA-SHA384 384 bit digest size
RSA-SHA512 512 bit digest size
RSA-SHA224 224 bit digest size
SHA256 256 bit digest size
SHA384 384 bit digest size
SHA512 512 bit digest size
SHA224 224 bit digest size

Code: Select all

root@LEDE:/etc/config# openvpn --show-ciphers
AES-128-CBC  (128 bit key, 128 bit block)
AES-128-CFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM  (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB  (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC  (192 bit key, 128 bit block)
AES-192-CFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB1  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB8  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM  (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-OFB  (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-CBC  (256 bit key, 128 bit block)
AES-256-CFB  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB1  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB8  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM  (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-OFB  (256 bit key, 128 bit block, TLS client/server mode only)

The following ciphers have a block size of less than 128 bits,
and are therefore deprecated.  Do not use unless you have to.

BF-CBC  (128 bit key by default, 64 bit block)
BF-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
BF-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-CBC  (128 bit key by default, 64 bit block)
CAST5-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
DES-CBC  (64 bit key, 64 bit block)
DES-CFB  (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB1  (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB8  (64 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-CBC  (128 bit key, 64 bit block)
DES-EDE-CFB  (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-OFB  (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CBC  (192 bit key, 64 bit block)
DES-EDE3-CFB  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB1  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB8  (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-OFB  (192 bit key, 64 bit block, TLS client/server mode only)
DES-OFB  (64 bit key, 64 bit block, TLS client/server mode only)
DESX-CBC  (192 bit key, 64 bit block)
RC2-40-CBC  (40 bit key by default, 64 bit block)
RC2-64-CBC  (64 bit key by default, 64 bit block)
RC2-CBC  (128 bit key by default, 64 bit block)
RC2-CFB  (128 bit key by default, 64 bit block, TLS client/server mode only)
RC2-OFB  (128 bit key by default, 64 bit block, TLS client/server mode only)

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: OpenVPN doesn't work, cert error

Post by TinCanTech » Tue Jun 06, 2017 12:27 pm

eliaspizarro wrote:daemon.err openvpn(CostaBrothers)[13235]: Certificate does not have key usage extension
Apparently, your certificate does not have a key usage extension.
eliaspizarro wrote:I've a file autogenerated by Untangle, this zip contains ovpn, cert.ca, ca and key. Those files works in windows and some linux machines (olds), but i can't setup in my router (LEDE with OpenVPN)
We don't know what your Untangle zip file contains .. try using EasyRSA (which comes with OpenVPN) to create your entire PKI and then distribute that as necessary.

Start here:
https://openvpn.net/index.php/open-sour ... o.html#pki

Post Reply