Verify Error and unknown CA

[MisterSurface]

Hello - please help!!!! I have been trying to get the iPhone client to work for two days straight and my Android phone and windows laptop work fine.

I have tried every way I can think of for an iOS 11.2.2 (latest as of 1-13-2018) client on an iPhone 7 Plus in generating the client .ovpn profile and still get verification errors in being unable to get local issuer certificate.

My openVPN server is fully up to date and my Android phone connects fine with the setup I have without issue.

Here is the pertinent information:

View OriginalSERVER

local 172.16.9.2
port y
proto udp4
dev tun
mssfix 1400
tun-mtu 1400
ca ca.cert.pem
cert server.cert.pem
key server.key.pem
crl-verify intermediate.crl.pem
dh dh4096.pem
server 172.16.10.0 255.255.255.0
push "dhcp-option DNS 208.67.222.222"
keepalive 10 120
tls-auth tls-auth.key 0
askpass "pass.txt"
cipher AES-256-GCM
auth SHA512
tls-server
key-direction 0
max-clients 10
user openvpn_server
group nogroup
persist-key
persist-tun
status /var/log/openvpn-status.log
log /etc/openvpncrap/openvpn.log
verb 9

the client has first my intermediate cert then my root cert in the <ca> </ca> tags - I've tried it with only the root, only the intermediate, both, both in the opposite order. I've tried importing both into the keychain on the iPhone also.

so it is like follows

-----BEGIN CERTIFICATE-----
intermediate cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
root cert
-----END CERTIFICATE-----

View OriginalCLIENT

client
dev tun
proto udp4
remote x.x.x.x y
redirect-gateway def1
dhcp-option DNS 208.67.222.222
remote-cert-tls server
auth SHA512
cipher AES-256-GCM
nobind
float
key-direction 1
<ca>
-----BEGIN CERTIFICATE-----
intermediate cert
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
root cert
-----END CERTIFICATE-----
</ca>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
removed
-----END OpenVPN Static key V1-----
</tls-auth>

server logs

Code: Select all

Sat Jan 13 17:51:01 2018 us=205648 166.170.221.137:10353 Incoming Ciphertext -> TLS
Sat Jan 13 17:51:01 2018 us=205687 166.170.221.137:10353 SSL state (accept): SSLv3/TLS write server done
Sat Jan 13 17:51:01 2018 us=206101 166.170.221.137:10353 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=US, ST=State_Of_Abyss, L=Local6667, O=667th_Layer, OU=RearWidow, CN=bustedpigclient, emailAddress=dev@null.io
Sat Jan 13 17:51:01 2018 us=206157 166.170.221.137:10353 SSL alert (write): fatal: unknown CA
Sat Jan 13 17:51:01 2018 us=206205 166.170.221.137:10353 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Sat Jan 13 17:51:01 2018 us=206229 166.170.221.137:10353 TLS_ERROR: BIO read tls_read_plaintext error
Sat Jan 13 17:51:01 2018 us=206251 166.170.221.137:10353 TLS Error: TLS object -> incoming plaintext read error
Sat Jan 13 17:51:01 2018 us=206273 166.170.221.137:10353 TLS Error: TLS handshake failed

client logs

Code: Select all

2018-01-13 17:51:18 ----- OpenVPN Start ----- OpenVPN core 3.1.2 ios arm64 64-bit built on Jan  5 2018 23:09:59
2018-01-13 17:51:18 Keychain Cert Extraction: 1 certificate(s) found
2018-01-13 17:51:18 Frame=512/2048/512 mssfix-ctrl=1250
2018-01-13 17:51:18 UNUSED OPTIONS
9 [nobind] 

2018-01-13 17:51:18 EVENT: RESOLVE
2018-01-13 17:51:18 Contacting [x.x.x.x]:y/UDP via UDP
2018-01-13 17:51:18 EVENT: WAIT
2018-01-13 17:51:18 Connecting to [x.x.x.x]:y (x.x.x.x) via UDPv4
2018-01-13 17:51:18 EVENT: CONNECTING
2018-01-13 17:51:18 Tunnel Options:V4,dev-type tun,link-mtu 1521,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-256-GCM,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client
2018-01-13 17:51:18 Creds: UsernameEmpty/PasswordEmpty
2018-01-13 17:51:18 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.2.5-1
IV_VER=3.1.2
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_AUTO_SESS=1

2018-01-13 17:51:18 VERIFY OK : depth=1
cert. version    : 3
serial number    : 10:00
issuer name      : C=US, ST=State_Of_Abyss, L=Local6667, O=667th_Layer, OU=BlackWidow, CN=FunkPigRoot, emailAddress=dev@null.io
subject name      : C=US, ST=State_Of_Abyss, O=667th_Layer, OU=RedWidow, CN=HoPigInter, emailAddress=dev@null.io
issued  on        : 2018-01-13 19:17:39
expires on        : 2028-01-11 19:17:39
signed using      : RSA with SHA-512
RSA key size      : 4096 bits
basic constraints : CA=true, max_pathlen=0
key usage        : Digital Signature, Key Cert Sign, CRL Sign

2018-01-13 17:51:18 VERIFY OK : depth=0
cert. version    : 3
serial number    : 10:00
issuer name      : C=US, ST=State_Of_Abyss, O=667th_Layer, OU=RedWidow, CN=HoPigInter, emailAddress=dev@null.io
subject name      : C=US, ST=State_Of_Abyss, L=Local6667, O=667th_Layer, OU=ClearWidow, CN=SallyHogServer, emailAddress=dev@null.io
issued  on        : 2018-01-13 19:26:24
expires on        : 2019-01-23 19:26:24
signed using      : RSA with SHA-512
RSA key size      : 4096 bits
basic constraints : CA=false
cert. type        : SSL Server
key usage        : Digital Signature, Key Encipherment
ext key usage    : TLS Web Server Authentication

The .p12 file is successfully importing the private key and client certificate and is checked along with the profile that is imported.

[MisterSurface]

Wow, this happened last time I had an issue too - I figured it out.

Android and Windows must've been filling in the blanks for a bad configuration I had on my server.

The problem was in server.conf; I had a line

ca rootcafile.cert.pem

I needed to have

ca root_and_intermediate_chain.cert.pem

Now it works