I'm trying to set up OpenVPN with a Root and Intermediate CA on Ubuntu 18.04 (OpenVPN 2.4.8, OpenSSL 1.1.1). I have a Root CA, an Intermediate CA signed by the Root, and Server and Client certs signed by the Intermediate. I have read https://community.openvpn.net/openvpn/w ... ate_Chains , but the biggest difference in my setup versus the example is that the server cert is not signed by the Root CA, it is signed by the Intermediate.
My server.conf file contains:
Code: Select all
port 1194
proto udp
dev tun
tls-server
tls-version-min 1.2
ca /etc/openvpn/tls/ca.pem
cert /etc/openvpn/tls/fullchain.pem
key /etc/openvpn/tls/key.pem
dh none # elliptic curves are being used
Code: Select all
- intermediate CA
- root CA
Code: Select all
- server cert
- intermediate CA
- root CA
Code: Select all
ca client-ca.pem
cert client-fullchain.pem
key client-key.pem
Code: Select all
- intermediate CA
- root CA
Code: Select all
- client cert
- intermediate CA
- root CA
Code: Select all
Mar 18 00:36:53 openvpn01 ovpn-server[24535]: 43.180.71.114:55329 VERIFY ERROR: depth=2, error=unable to get issuer certificate: <ROOT CA>
Mar 18 00:36:53 openvpn01 ovpn-server[24535]: 43.180.71.114:55329 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Mar 18 00:36:53 openvpn01 ovpn-server[24535]: 43.180.71.114:55329 TLS_ERROR: BIO read tls_read_plaintext error
Mar 18 00:36:53 openvpn01 ovpn-server[24535]: 43.180.71.114:55329 TLS Error: TLS object -> incoming plaintext read error
Mar 18 00:36:53 openvpn01 ovpn-server[24535]: 43.180.71.114:55329 TLS Error: TLS handshake failed
Code: Select all
root@openvpn01 [seed] [.../openvpn/tls]
# openssl verify -CAfile ca.pem client-fullchain.pem
client-fullchain.pem: OK
Thank you!