Android app doesn't see cert embedded in config file

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
bmn001
OpenVpn Newbie
Posts: 1
Joined: Tue Sep 07, 2021 10:07 pm

Android app doesn't see cert embedded in config file

Post by bmn001 » Tue Sep 07, 2021 10:11 pm

I'm attempting to set up the Android client on my phone but am running into an issue.

My .ovpn config file is generated by my Synology NAS.

The OpenVPN Android client is able to import that config file without a problem.

When I attempt to connect to the server, the app pops up a dialog that says:
"Select Certificate. This profile doesn't include a client certificate. Continue connecting without a certificate or select one from the Android keychain?"

If I tap Continue I'm allowed to proceed and my connection successfully completes.

I'm confused by the error message: My .ovpn file *does* contain a certificate at the bottom within the following tags:

<ca>
-----BEGIN CERTIFICATE-----
long cert here...
-----END CERTIFICATE-----
</ca>

Am I misunderstanding how this should work?

Thanks.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Android app doesn't see cert embedded in config file

Post by TinCanTech » Tue Sep 07, 2021 11:27 pm

A <ca> is not a <cert>, which is why you are still expected to select a certificate.

https://community.openvpn.net/openvpn/w ... nPage#lbAW

EtsSpets
OpenVpn Newbie
Posts: 5
Joined: Fri Oct 29, 2021 8:18 am

Re: Android app doesn't see cert embedded in config file

Post by EtsSpets » Fri Oct 29, 2021 8:34 am

I have the same exact issue with the same exact devices... :)

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Android app doesn't see cert embedded in config file

Post by openvpn_inc » Fri Nov 05, 2021 1:42 pm

Hello EtsSpets and bmn001,

By default OpenVPN3 core in OpenVPN Connect v3 assumes that you are going to use a client certificate and client private key, and a server CA certificate, to verify the identity of the server and the client. Basically the client certificate and client private key are used to prove to the server that you are the client that you say that you are, and the server CA certificate is used to verify the identity of the server, so that you are connecting to the server that you think you are connecting to.

You should <ca> block </ca> which contains the server CA certificate, which allows the client to verify the identity of the server. But, you are lacking the <cert> </cert> and/or <key> </key> blocks, apparently. So there is no client certificate and no client private key. And the OpenVPN Connect software really wants those unless you DON'T use client certificates. That is pretty rare and pretty strange. So, if you DO have client private key and client certificate, then USE THOSE. Either by inlining them in the connection profile in the cert and key blocks, or, by importing that separately in the OpenVPN Connect client and tell the client to use those for this connection. But, if you DON'T have client certificates at all (quite odd situation to be in) then you need to tell the client that you are not going to use client certificates by putting this line in the client profile before importing:

setenv CLIENT_CERT 0
https://openvpn.net/faq/how-to-make-the ... icate-key/

You can try that and see if that helps.

But ideally.. you would be using client certificates. This is considered the default with using OpenVPN.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

LZ91LZ
OpenVpn Newbie
Posts: 1
Joined: Sun Aug 15, 2021 8:13 am

Re: Android app doesn't see cert embedded in config file

Post by LZ91LZ » Sat Nov 13, 2021 10:52 am

[quote=openvpn_inc post_id=102984 time=1636119774 user_id=52935]
Hello EtsSpets and bmn001,

By default OpenVPN3 core in OpenVPN Connect v3 assumes that you are going to use a client certificate and client private key, and a server CA certificate, to verify the identity of the server and the client. Basically the client certificate and client private key are used to prove to the server that you are the client that you say that you are, and the server CA certificate is used to verify the identity of the server, so that you are connecting to the server that you think you are connecting to.

You should <ca> block </ca> which contains the server CA certificate, which allows the client to verify the identity of the server. But, you are lacking the <cert> </cert> and/or <key> </key> blocks, apparently. So there is no client certificate and no client private key. And the OpenVPN Connect software really wants those unless you DON'T use client certificates. That is pretty rare and pretty strange. So, if you DO have client private key and client certificate, then USE THOSE. Either by inlining them in the connection profile in the cert and key blocks, or, by importing that separately in the OpenVPN Connect client and tell the client to use those for this connection. But, if you DON'T have client certificates at all (quite odd situation to be in) then you need to tell the client that you are not going to use client certificates by putting this line in the client profile before importing:

setenv CLIENT_CERT 0
https://openvpn.net/faq/how-to-make-the-app-work-with-profiles-that-lack-a-client-certificate-key/

You can try that and see if that helps.

But ideally.. you would be using client certificates. This is considered the default with using OpenVPN.

Kind regards,
Johan
[/quote]

Post Reply