"self signed certificate" is not self-signed

Scripts to manage certificates or generate config files
Post Reply
chameleon
OpenVpn Newbie
Posts: 13
Joined: Wed Sep 11, 2019 4:54 am

"self signed certificate" is not self-signed

Post by chameleon » Thu Sep 16, 2021 9:22 pm

Hi.

I have a working OpenVPN server and 2 working clients.
I am trying to add a new client and I failed with self-signed certificate.

The client log is:

Code: Select all

2021-09-16 23:55:03 OpenVPN 2.5.3 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jun 17 2021
2021-09-16 23:55:03 Windows version 10.0 (Windows 10 or greater) 64bit
2021-09-16 23:55:03 library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
Enter Management Password:
2021-09-16 23:55:03 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25341
2021-09-16 23:55:03 Need hold release from management interface, waiting...
2021-09-16 23:55:04 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25341
2021-09-16 23:55:04 MANAGEMENT: CMD 'state on'
2021-09-16 23:55:04 MANAGEMENT: CMD 'log all on'
2021-09-16 23:55:04 MANAGEMENT: CMD 'echo all on'
2021-09-16 23:55:04 MANAGEMENT: CMD 'bytecount 5'
2021-09-16 23:55:04 MANAGEMENT: CMD 'hold off'
2021-09-16 23:55:04 MANAGEMENT: CMD 'hold release'
2021-09-16 23:55:04 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-09-16 23:55:04 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
2021-09-16 23:55:04 MANAGEMENT: >STATE:1631825704,RESOLVE,,,,,,
2021-09-16 23:55:04 TCP/UDP: Preserving recently used remote address: [AF_INET]94.64.21.191:1194
2021-09-16 23:55:04 Socket Buffers: R=[65536->65536] S=[65536->65536]
2021-09-16 23:55:04 UDP link local (bound): [AF_INET][undef]:1194
2021-09-16 23:55:04 UDP link remote: [AF_INET]94.64.21.191:1194
2021-09-16 23:55:04 MANAGEMENT: >STATE:1631825704,WAIT,,,,,,
2021-09-16 23:55:04 MANAGEMENT: >STATE:1631825704,AUTH,,,,,,
2021-09-16 23:55:04 TLS: Initial packet from [AF_INET]94.64.21.191:1194, sid=dccc7737 35dbc0c1
2021-09-16 23:55:04 VERIFY ERROR: depth=0, error=self signed certificate: C=GR, ST=Ελλάδα (Greece), L=Λάρισα (Larissa), O=Γκέσος Παύλος (Gkesos Pavlos), CN=Γκέσος Παύλος (Gkesos Pavlos), emailAddress=gessos.paul@gmail.com, serial=1
2021-09-16 23:55:04 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2021-09-16 23:55:04 TLS_ERROR: BIO read tls_read_plaintext error
2021-09-16 23:55:04 TLS Error: TLS object -> incoming plaintext read error
2021-09-16 23:55:04 TLS Error: TLS handshake failed
2021-09-16 23:55:04 SIGUSR1[soft,tls-error] received, process restarting
2021-09-16 23:55:04 MANAGEMENT: >STATE:1631825704,RECONNECTING,tls-error,,,,,
2021-09-16 23:55:04 Restart pause, 5 second(s)
2021-09-16 23:55:08 SIGTERM[hard,init_instance] received, process exiting
2021-09-16 23:55:08 MANAGEMENT: >STATE:1631825708,EXITING,init_instance,,,,,

Also, some console commands give these results:

Code: Select all

root@ODROID-HC2:~/cert/openvpn# cat ca.crt | openssl x509 -noout -enddate
notAfter=Apr  5 18:04:05 2120 GMT
root@ODROID-HC2:~/cert/openvpn# openssl verify -verbose -CAfile ca.crt  server.crt
server.crt: OK
root@ODROID-HC2:~/cert/openvpn# openssl verify -verbose -CAfile ca.crt  pavlos.crt
pavlos.crt: OK
So, no CA expired, and both server and new client certificate are valid based on CA.

Also the server's var/log/syslog gives:

Code: Select all

Sep 17 00:18:11 ODROID-HC2 ovpn-server[363]: MULTI: multi_create_instance called
Sep 17 00:18:11 ODROID-HC2 ovpn-server[363]: 10.0.0.1:1194 Re-using SSL/TLS context
Sep 17 00:18:11 ODROID-HC2 ovpn-server[363]: 10.0.0.1:1194 Control Channel MTU parms [ L:1653 D:1184 EF:66 EB:0 ET:0 EL:3 ]
Sep 17 00:18:11 ODROID-HC2 ovpn-server[363]: 10.0.0.1:1194 Data Channel MTU parms [ L:1653 D:1450 EF:121 EB:411 ET:32 EL:3 ]
Sep 17 00:18:11 ODROID-HC2 ovpn-server[363]: 10.0.0.1:1194 Local Options String (VER=V4): 'V4,dev-type tap,link-mtu 1581,tun-mtu 1532,proto UDPv4,keydir 0,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-server'
Sep 17 00:18:11 ODROID-HC2 ovpn-server[363]: 10.0.0.1:1194 Expected Remote Options String (VER=V4): 'V4,dev-type tap,link-mtu 1581,tun-mtu 1532,proto UDPv4,keydir 1,cipher AES-256-GCM,auth [null-digest],keysize 256,tls-auth,key-method 2,tls-client'
Sep 17 00:18:11 ODROID-HC2 ovpn-server[363]: 10.0.0.1:1194 TLS: Initial packet from [AF_INET]10.0.0.1:1194, sid=5aa55dff f6a54fe3

What is happening here?

PS: Using the config with inline certs from one working client to new client, DOES NOT WORK!!!

User avatar
TinCanTech
Forum Team
Posts: 9951
Joined: Fri Jun 03, 2016 1:17 pm

Re: "self signed certificate" is not self-signed

Post by TinCanTech » Thu Sep 16, 2021 9:28 pm

Openvpn does not support self-signed certificates.

chameleon
OpenVpn Newbie
Posts: 13
Joined: Wed Sep 11, 2019 4:54 am

Re: "self signed certificate" is not self-signed

Post by chameleon » Thu Sep 16, 2021 10:28 pm

Yeah.
As I say in the post, a certificate validated from a CA is not self-signed.
So, OpenVPN erroneously says that it is self signed.
Please read the top post again.

User avatar
TinCanTech
Forum Team
Posts: 9951
Joined: Fri Jun 03, 2016 1:17 pm

Re: "self signed certificate" is not self-signed

Post by TinCanTech » Thu Sep 16, 2021 10:35 pm

chameleon wrote:
Thu Sep 16, 2021 10:28 pm
As I say in the post, a certificate validated from a CA is not self-signed.
Your client certificate is ..

viewtopic.php?f=30&t=22603

300000
OpenVPN Expert
Posts: 639
Joined: Tue May 01, 2012 9:30 pm

Re: "self signed certificate" is not self-signed

Post by 300000 » Fri Sep 17, 2021 1:33 pm

How do you signed client certificate ? It is simple but more confusing if you dont know what CA certificate mean .

All openvpn operations base on selfsign certificate .

User avatar
TinCanTech
Forum Team
Posts: 9951
Joined: Fri Jun 03, 2016 1:17 pm

Re: "self signed certificate" is not self-signed

Post by TinCanTech » Fri Sep 17, 2021 2:14 pm

300000 wrote:
Fri Sep 17, 2021 1:33 pm
All openvpn operations base on selfsign certificate
What ?

@chameleon Either way, how did you create your certificates ?

chameleon
OpenVpn Newbie
Posts: 13
Joined: Wed Sep 11, 2019 4:54 am

Re: "self signed certificate" is not self-signed

Post by chameleon » Sun Sep 19, 2021 3:15 pm

The solution here:
viewtopic.php?f=4&t=33030

Post Reply