Unable to get Issuer Certificate with CA Chain

[ionstream]

Hello VPN folks,

I'm trying to set up OpenVPN with a Root and Intermediate CA on Ubuntu 18.04 (OpenVPN 2.4.8, OpenSSL 1.1.1). I have a Root CA, an Intermediate CA signed by the Root, and Server and Client certs signed by the Intermediate. I have read https://community.openvpn.net/openvpn/w ... ate_Chains , but the biggest difference in my setup versus the example is that the server cert is not signed by the Root CA, it is signed by the Intermediate.

My server.conf file contains:

Code: Select all

port 1194
proto udp
dev tun
tls-server
tls-version-min 1.2

ca /etc/openvpn/tls/ca.pem
cert /etc/openvpn/tls/fullchain.pem
key /etc/openvpn/tls/key.pem
dh none  # elliptic curves are being used

Where ca.pem is:

Code: Select all

- intermediate CA
- root CA

fullchain.pem is:

Code: Select all

- server cert
- intermediate CA
- root CA

The client is configured with the same setup:

Code: Select all

ca client-ca.pem
cert client-fullchain.pem
key client-key.pem

Where the client-ca.pem is:

Code: Select all

- intermediate CA
- root CA

client-fullchain.pem is

Code: Select all

- client cert
- intermediate CA
- root CA

When connecting, the following error is logged on the server:

Code: Select all

Mar 18 00:36:53 openvpn01 ovpn-server[24535]: 43.180.71.114:55329 VERIFY ERROR: depth=2, error=unable to get issuer certificate: <ROOT CA>
Mar 18 00:36:53 openvpn01 ovpn-server[24535]: 43.180.71.114:55329 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed
Mar 18 00:36:53 openvpn01 ovpn-server[24535]: 43.180.71.114:55329 TLS_ERROR: BIO read tls_read_plaintext error
Mar 18 00:36:53 openvpn01 ovpn-server[24535]: 43.180.71.114:55329 TLS Error: TLS object -> incoming plaintext read error
Mar 18 00:36:53 openvpn01 ovpn-server[24535]: 43.180.71.114:55329 TLS Error: TLS handshake failed

The client fullchain seems to be signed correctly, verified by openssl verify:

Code: Select all

root@openvpn01 [seed] [.../openvpn/tls]
# openssl verify -CAfile ca.pem client-fullchain.pem
client-fullchain.pem: OK

Can I get some guidance as to what I might be doing wrong?

Thank you!

[TinCanTech]

Can I get some guidance as to what I might be doing wrong?

When connecting, the following error is logged on the server:

• VERIFY ERROR: depth=2, error=unable to get issuer certificate: <ROOT CA>

Your server does not have access to the ROOT CA.

My guess would be that you have created your certificates incorrectly in the first place
or chained the certificates incorrectly.

the biggest difference in my setup versus the example is that the server cert is not signed by the Root CA, it is signed by the Intermediate

Because you are not following the documented method, if you require further assistance then you can contact me personally on tincanteksup <at> gmail (Fees will apply)

[300000]

you need to combine public key of the root CA and public key of the intermediate CA into one new pem key so openvpn client can authecation .

create new key , open public key root CA public key and open public key of intermediate CA and just copy from TEXT inside key and paste into new key

Code: Select all

-----BEGIN CERTIFICATE-----
copy  the TEXT  en put it into here 
-----END CERTIFICATE-----

Code: Select all

-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIEOGPe+DANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
....
Omitted for brevity
....
u/8j72gZyxKTJ1wDLW8w0B62GqzeWvfRqqgnpv55gcR5mTNXuhKwqeBCbJPKVt7+
bYQLCIt+jerXmCHG8+c8eS9enNFMFY3h7CI3zJpDC5fcgJCNs2ebb0gIFVbPv/Er
fF6adulZkMV8gzURZVE=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE9TCCA92gAwIBAgIETA6MOTANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
....
Omitted for brevity
....
mWEn7kVuxzn/9sWL4Mt8ih7VegcxKlJcOlAZOKlE+jyoz+95nWrZ5S6hjyko1+yq
wfsm5p9GJKaxB825DOgNghYAHZaS/KYIoA==
-----END CERTIFICATE-----

After combining the ASCII data into one file, verify validity of certificate chain for usage:

Code: Select all

openssl verify -verbose -purpose sslserver -CAfile CAchain.pem name.pem

-

[ionstream]

Cool I'll do a clean test offline. I'm using Vault so I got around it by just making a new OpenVPN only Root CA that signs the server and client keys (with different vault roles). Thanks.