Unable to get Issuer Certificate with CA Chain

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
ionstream
OpenVpn Newbie
Posts: 2
Joined: Wed Mar 18, 2020 12:22 am

Unable to get Issuer Certificate with CA Chain

Post by ionstream » Wed Mar 18, 2020 12:54 am

Hello VPN folks,

I'm trying to set up OpenVPN with a Root and Intermediate CA on Ubuntu 18.04 (OpenVPN 2.4.8, OpenSSL 1.1.1). I have a Root CA, an Intermediate CA signed by the Root, and Server and Client certs signed by the Intermediate. I have read https://community.openvpn.net/openvpn/w ... ate_Chains , but the biggest difference in my setup versus the example is that the server cert is not signed by the Root CA, it is signed by the Intermediate.

My server.conf file contains:

Code: Select all

port 1194
proto udp
dev tun
tls-server
tls-version-min 1.2

ca /etc/openvpn/tls/ca.pem
cert /etc/openvpn/tls/fullchain.pem
key /etc/openvpn/tls/key.pem
dh none  # elliptic curves are being used
Where ca.pem is:

Code: Select all

- intermediate CA
- root CA
fullchain.pem is:

Code: Select all

- server cert
- intermediate CA
- root CA
The client is configured with the same setup:

Code: Select all

ca client-ca.pem
cert client-fullchain.pem
key client-key.pem
Where the client-ca.pem is:

Code: Select all

- intermediate CA
- root CA
client-fullchain.pem is

Code: Select all

- client cert
- intermediate CA
- root CA
When connecting, the following error is logged on the server:

Code: Select all

Mar 18 00:36:53 openvpn01 ovpn-server[24535]: 43.180.71.114:55329 VERIFY ERROR: depth=2, error=unable to get issuer certificate: <ROOT CA>
Mar 18 00:36:53 openvpn01 ovpn-server[24535]: 43.180.71.114:55329 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Mar 18 00:36:53 openvpn01 ovpn-server[24535]: 43.180.71.114:55329 TLS_ERROR: BIO read tls_read_plaintext error
Mar 18 00:36:53 openvpn01 ovpn-server[24535]: 43.180.71.114:55329 TLS Error: TLS object -> incoming plaintext read error
Mar 18 00:36:53 openvpn01 ovpn-server[24535]: 43.180.71.114:55329 TLS Error: TLS handshake failed
The client fullchain seems to be signed correctly, verified by openssl verify:

Code: Select all

root@openvpn01 [seed] [.../openvpn/tls]
# openssl verify -CAfile ca.pem client-fullchain.pem
client-fullchain.pem: OK
Can I get some guidance as to what I might be doing wrong?

Thank you!

TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: Unable to get Issuer Certificate with CA Chain

Post by TinCanTech » Wed Mar 18, 2020 12:52 pm

ionstream wrote:
Wed Mar 18, 2020 12:54 am
Can I get some guidance as to what I might be doing wrong?
ionstream wrote:
Wed Mar 18, 2020 12:54 am
When connecting, the following error is logged on the server:
  • VERIFY ERROR: depth=2, error=unable to get issuer certificate: <ROOT CA>
Your server does not have access to the ROOT CA.

My guess would be that you have created your certificates incorrectly in the first place
or chained the certificates incorrectly.
ionstream wrote:
Wed Mar 18, 2020 12:54 am
the biggest difference in my setup versus the example is that the server cert is not signed by the Root CA, it is signed by the Intermediate
Because you are not following the documented method, if you require further assistance then you can contact me personally on tincanteksup <at> gmail (Fees will apply)

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: Unable to get Issuer Certificate with CA Chain

Post by 300000 » Fri Mar 20, 2020 11:23 am

you need to combine public key of the root CA and public key of the intermediate CA into one new pem key so openvpn client can authecation .

create new key , open public key root CA public key and open public key of intermediate CA and just copy from TEXT inside key and paste into new key

Code: Select all

-----BEGIN CERTIFICATE-----
copy  the TEXT  en put it into here 
-----END CERTIFICATE-----



Code: Select all

-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
....
Omitted for brevity
....
u/8j72gZyxKTJ1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+
bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er
fF6adulZkMV8gzURZVE=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE9TCCA92gAwIBAgIETA6MOTANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
....
Omitted for brevity
....
mWEn7kVuxzn/9sWL4Mt8ih7VegcxKlJcOlAZOKlE+jyoz+95nWrZ5S6hjyko1+yq
wfsm5p9GJKaxB825DOgNghYAHZaS/KYIoA==
-----END CERTIFICATE-----
After combining the ASCII data into one file, verify validity of certificate chain for usage:

Code: Select all

openssl verify -verbose -purpose sslserver -CAfile CAchain.pem name.pem
-
Last edited by Pippin on Fri Mar 20, 2020 1:18 pm, edited 1 time in total.
Reason: Formatting

ionstream
OpenVpn Newbie
Posts: 2
Joined: Wed Mar 18, 2020 12:22 am

Re: Unable to get Issuer Certificate with CA Chain

Post by ionstream » Tue Mar 31, 2020 2:16 am

Cool I'll do a clean test offline. I'm using Vault so I got around it by just making a new OpenVPN only Root CA that signs the server and client keys (with different vault roles). Thanks.

Post Reply