Inline cert/key woes.

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
damienh
OpenVpn Newbie
Posts: 2
Joined: Tue Dec 07, 2021 2:54 pm

Inline cert/key woes.

Post by damienh » Wed Dec 08, 2021 11:16 am

Hi, I'm trying to set up a config with inline everything for the purposes of the iOS client. After some IRC help I managed to get the inline strings of keys and certificates, so I copied the output of openssl base64 -in file.crt/key/pem to a structure similar to this example. I checked and I copied it correctly and I can't find any issues with the tags, but I'm still getting:

Code: Select all

OpenSSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode
OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
The config looks like this:

Code: Select all

tls-client
dev tun
remote vpn.server.com
proto udp
port 1194
pull
#tls-cipher "DEFAULT:@SECLEVEL=0"
comp-lzo
verb 5
resolv-retry infinite
nobind
key-direction 1

<ca>
-----BEGIN CERTIFICATE-----
LS0tLS1C[...]tLS0tLQ0K
-----END CERTIFICATE-----
</ca>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
Iw0KIy[...]LS0tLQ0K
-----END OpenVPN Static key V1-----
</tls-auth>

<key>
-----BEGIN RSA PRIVATE KEY-----
LS0tLS1[...]ktLS0tLQo=
-----END RSA PRIVATE KEY-----
</key>

<cert>
-----BEGIN CERTIFICATE-----
Q2VydGl[...]RS0tLS0tCg==
-----END CERTIFICATE-----
</cert>
I guess the problem is with the .pem file used in <ca>? I tried was also getting these before I started playing with the "DEFAULT:@SECLEVEL=0" line for some reason, not getting it anymore:

Code: Select all

OpenSSL: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
OpenSSL: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
OpenSSL: error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib
OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Oh and the iOS OpeVPN Connect client throws out just a nonspecific "parse_hex_error".

Any help is appreciated!
Top
User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Inline cert/key woes.

Post by openvpn_inc » Sat Dec 11, 2021 10:03 pm

Hello damienh,

Sounds to me like you somehow managed to make your certificate/key into a format OpenVPN doesn't expect.

If you currently have a config file and a separate certificate or key file, don't use OpenSSL to do anything with that separate certificate or key file. Just open the certificate or key in a text editor. Copy/paste that content. Then open the config file. And paste the content in your clipboard inbetween the <ca></ca> or <cert></cert> or <key></key> etc blocks.

If things still break you should take another careful look at your keys/certificates as they are apparently in a format OpenVPN doesn't expect.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Top
damienh
OpenVpn Newbie
Posts: 2
Joined: Tue Dec 07, 2021 2:54 pm

Re: Inline cert/key woes.

Post by damienh » Sun Dec 12, 2021 2:55 pm

Oh I see, perfect! It's working now. I had to replace all of those certificate strings though.

Sorry, I was following this man page and maybe I just misunderstood it.
Top
Post Reply

Return to “OpenVPN Connect (Windows)”