Certificate Validation Error Using Easy-RSA

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
obnauticus
OpenVpn Newbie
Posts: 1
Joined: Sat Mar 17, 2018 11:26 pm

Certificate Validation Error Using Easy-RSA

Post by obnauticus » Sat Mar 17, 2018 11:40 pm

Hello all,

I've been trying to configure OpenVPN for a while now and I am getting certificate errors. I'm pretty sure I've configured the certificates correctly but I can't tell exactly what the problem is since the error message is ambiguous.

Here my devices:
My OpenVPN "server" is a Mikrotik CRS125-24G-1S running RouterOS 6.40.3. I followed this guide to configure the OVPN server: http://david.kow.is/blog/2016/12/26/mik ... ux-server/
My OpenVPN "client" is a Ubuntu VPS running in RamNode (Linux nightvine 2.6.32-042stab127.2 #1 SMP Thu Jan 4 16:41:44 MSK 2018 x86_64 x86_64 x86_64 GNU/Linux)

Here is the error that my OpenVPN client is complaining about (error in bold):

Code: Select all

Sat Mar 17 19:30:07 2018 us=144316 TCP connection established with [AF_INET]xxx.xxx.xxx.xxx:46603
Sat Mar 17 19:30:07 2018 us=144360 TCPv4_SERVER link local (bound): [undef]
Sat Mar 17 19:30:07 2018 us=144382 TCPv4_SERVER link remote: [AF_INET]xxx.xxx.xxx.xxx:46603
Sat Mar 17 19:30:07 2018 us=144594 TCPv4_SERVER READ [14] from [AF_INET]xxx.xxx.xxx.xxx:46603: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0 DATA len=0
Sat Mar 17 19:30:07 2018 us=144628 TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:46603, sid=6376bfdc 964582da
Sat Mar 17 19:30:07 2018 us=144676 TCPv4_SERVER WRITE [26] to [AF_INET]xxx.xxx.xxx.xxx:46603: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=0 DATA len=0
Sat Mar 17 19:30:07 2018 us=148132 TCPv4_SERVER READ [26] from [AF_INET]xxx.xxx.xxx.xxx:46603: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ 0 ] pid=1 DATA len=0
Sat Mar 17 19:30:07 2018 us=148198 TCPv4_SERVER WRITE [22] to [AF_INET]xxx.xxx.xxx.xxx:46603: P_ACK_V1 kid=0 [ 1 ]
Sat Mar 17 19:30:07 2018 us=257196 TCPv4_SERVER READ [297] from [AF_INET]xxx.xxx.xxx.xxx:46603: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=283
Sat Mar 17 19:30:07 2018 us=271290 TCPv4_SERVER WRITE [1196] to [AF_INET]xxx.xxx.xxx.xxx:46603: P_CONTROL_V1 kid=0 [ 2 ] pid=1 DATA len=1170
Sat Mar 17 19:30:07 2018 us=271467 TCPv4_SERVER WRITE [1184] to [AF_INET]xxx.xxx.xxx.xxx:46603: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1170
Sat Mar 17 19:30:07 2018 us=271517 TCPv4_SERVER WRITE [304] to [AF_INET]xxx.xxx.xxx.xxx:46603: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=290
Sat Mar 17 19:30:07 2018 us=272576 TCPv4_SERVER READ [22] from [AF_INET]xxx.xxx.xxx.xxx:46603: P_ACK_V1 kid=0 [ 1 ]
Sat Mar 17 19:30:07 2018 us=314180 TCPv4_SERVER READ [22] from [AF_INET]xxx.xxx.xxx.xxx:46603: P_ACK_V1 kid=0 [ 2 ]
Sat Mar 17 19:30:07 2018 us=314261 TCPv4_SERVER READ [22] from [AF_INET]xxx.xxx.xxx.xxx:46603: P_ACK_V1 kid=0 [ 3 ]
Sat Mar 17 19:30:08 2018 us=495465 TCPv4_SERVER READ [1414] from [AF_INET]xxx.xxx.xxx.xxx:46603: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=1400
Sat Mar 17 19:30:08 2018 us=495762 VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=server

[b]Sat Mar 17 19:30:08 2018 us=495853 OpenSSL: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
Sat Mar 17 19:30:08 2018 us=495876 TLS_ERROR: BIO read tls_read_plaintext error
Sat Mar 17 19:30:08 2018 us=495897 TLS Error: TLS object -> incoming plaintext read error
Sat Mar 17 19:30:08 2018 us=496017 TLS Error: TLS handshake failed
Sat Mar 17 19:30:08 2018 us=496208 Fatal TLS error (check_tls_errors_co), restarting[/b]

Sat Mar 17 19:30:08 2018 us=496479 TCP/UDP: Closing socket
Sat Mar 17 19:30:08 2018 us=496617 SIGUSR1[soft,tls-error] received, process restarting
Sat Mar 17 19:30:08 2018 us=496650 Restart pause, 1 second(s)
Sat Mar 17 19:30:09 2018 us=497341 Diffie-Hellman initialized with 2048 bit key
Sat Mar 17 19:30:09 2018 us=497569 WARNING: file '/etc/openvpn/nightvine.key' is group or others accessible
Sat Mar 17 19:30:09 2018 us=497869 Control Channel MTU parms [ L:1543 D:1210 EF:40 EB:0 ET:0 EL:3 ]
Sat Mar 17 19:30:09 2018 us=497916 Socket Buffers: R=[174760->174760] S=[174760->174760]
Sat Mar 17 19:30:09 2018 us=497942 Preserving previous TUN/TAP instance: tun1
Sat Mar 17 19:30:09 2018 us=497971 Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:12 ET:0 EL:3 ]
Sat Mar 17 19:30:09 2018 us=498005 Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,ifconfig 10.0.5.3 10.0.5.2,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Sat Mar 17 19:30:09 2018 us=498029 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,ifconfig 10.0.5.2 10.0.5.3,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Sat Mar 17 19:30:09 2018 us=498064 Local Options hash (VER=V4): '013a7c13'
Sat Mar 17 19:30:09 2018 us=498089 Expected Remote Options hash (VER=V4): '42f68198'
Sat Mar 17 19:30:09 2018 us=498113 Listening for incoming TCP connection on [undef]
Sat Mar 17 19:30:10 2018 us=454389 TCP/UDP: Closing socket
Sat Mar 17 19:30:10 2018 us=454738 /sbin/ip route del 10.10.220.0/24
Sat Mar 17 19:30:10 2018 us=457225 Closing TUN/TAP interface
Sat Mar 17 19:30:10 2018 us=457283 /sbin/ip addr del dev tun1 local 10.0.5.2 peer 10.0.5.3

Here is my OpenVPN client configuration:
client

mode p2p
bind
port 1192

proto tcp-server
#float is the default unless --remote is specified
float
dev tun1
#remote-cert-eku "TLS Web Server Authentication"
remote-cert-ku 88
remote-cert-tls server
# this is mine \/ \/ is the client
ifconfig 10.0.5.2 10.0.5.3
persist-tun
# cannot use comp-lzo with the routerboard
# can't use fragment with TCP connections, mssfix should be sufficient
mssfix

# Local route to the home network
route 10.10.220.0 255.255.255.0 vpn_gateway

keepalive 10 60

# 2048 dh params!
dh /etc/openvpn/dh2048.pem

tls-server

# other end CA
ca /etc/openvpn/ca.crt
# My certificate and key
cert /etc/openvpn/nightvine.crt
key /etc/openvpn/nightvine.key

# verify the certificate! only allowing a certificate that matches this CN
verify-x509-name client-cert name


As I said before, I have generated the keys using EasyRSA and correct EKU/KU settings (for server and client):

Code: Select all

--------------------------SERVER CERTIFICATE--------------------------
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            db:3c:c9:db:ed:13:13:8a:98:78:f9:bf:e5:00:e4:d5
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Obnauticus CA
        Validity
            Not Before: Mar 17 04:05:57 2018 GMT
            Not After : Mar 14 04:05:57 2028 GMT
        Subject: CN=server
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:b4:64:33:08:92:0d:4d:c1:d2:25:6a:63:57:53:
                    20:a4:78:fc:4b:1c:8e:a0:8a:82:76:f7:49:94:66:
                    0b:a1:32:5f:81:a9:6c:e6:ab:19:35:c2:f9:e0:4b:
                    5a:78:93:d2:c0:5d:5a:3c:70:14:e3:33:8c:3f:94:
                    28:95:c0:ae:55:db:76:13:dd:fd:4a:b5:19:c7:9f:
                    37:7a:09:4d:f5:f4:45:bd:19:f4:ad:99:9f:32:74:
                    96:2f:8b:f6:0c:0d:b5:7c:f4:c0:90:db:10:01:b0:
                    0b:cd:9f:02:5a:99:07:a7:ba:41:17:55:38:c4:bb:
                    5c:ca:eb:b2:e2:0d:10:42:c9:af:22:2d:4a:ff:8b:
                    f2:1e:cd:30:e8:b3:ba:29:43:af:ab:66:86:88:72:
                    ef:86:79:f9:be:b5:21:5d:ae:ba:c1:9c:bd:ac:c7:
                    bf:21:95:45:e1:05:a8:26:68:c0:1e:a1:cf:7d:1f:
                    10:19:21:d1:ad:62:ef:47:d3:40:2f:45:00:bd:97:
                    17:18:20:91:01:99:dc:d6:37:de:ad:bc:a9:72:ab:
                    3c:af:c3:b5:34:4d:ab:ba:34:fb:b2:4e:25:6a:e2:
                    d2:d4:6c:c0:94:81:bc:a8:83:4d:ac:8a:96:8f:ab:
                    28:e2:9b:f5:96:aa:ae:15:1c:70:14:81:f9:54:eb:
                    6a:27
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Cert Type:
                SSL Server
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                DA:D9:7D:E1:14:4E:54:EB:86:D1:22:93:49:81:97:BC:2C:18:F6:2B
            X509v3 Authority Key Identifier:
                keyid:10:9B:C4:26:94:15:9B:BF:6F:75:EB:6E:34:C5:D0:99:1E:7E:4E:45
                DirName:/CN=Obnauticus CA
                serial:FC:47:68:F4:C6:36:73:FC

[b]            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:server[/b]
    Signature Algorithm: sha256WithRSAEncryption
         aa:9e:2a:6a:62:b3:36:c5:02:99:d2:0b:27:62:bd:e9:92:dd:
         6f:9a:dd:9d:2f:92:ba:14:f7:0c:bb:82:5d:ec:75:ba:01:c0:
         d4:26:ba:c6:de:70:88:bd:41:a7:1c:90:37:80:36:2e:b2:10:
         ae:77:ab:54:02:1d:71:7e:6b:e6:ab:45:cc:a0:56:ff:42:b3:
         4f:33:20:c7:1c:77:9d:08:84:d6:83:68:8c:19:38:76:63:f1:
         6d:2d:3b:6b:e9:84:d4:75:d8:6e:7e:34:76:7f:c9:a4:1d:32:
         6d:fc:e1:2e:a7:ee:7c:bf:4e:64:f9:f6:53:59:c6:d7:2a:bd:
         da:43:ae:cb:62:b3:0a:79:05:af:af:02:fe:c1:17:f4:b5:da:
         f9:da:d9:f9:45:4a:cc:44:01:61:d1:0b:90:f9:d3:22:e3:3f:
         37:dc:48:b9:6e:10:56:72:41:59:28:00:58:46:65:e8:a9:07:
         02:bf:96:5f:a7:6a:93:1e:72:db:0c:fd:8e:be:c1:89:d1:ab:
         da:6c:b2:8a:d3:2d:2f:a1:20:c1:c1:42:e0:51:04:4a:99:63:
         e7:65:8c:70:e8:fb:d5:a7:33:c9:49:94:a8:4a:67:dc:25:84:
         bd:b2:1a:0e:81:ae:93:32:62:64:f1:7d:dc:5f:39:41:8c:62:
         b2:24:b7:af
-----BEGIN CERTIFICATE-----

* REDACTED *

-----END CERTIFICATE-----

--------------------------CLIENT CERTIFICATE--------------------------
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ba:d4:68:62:7f:85:9a:f0:96:08:09:85:b7:c7:bb:45
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Obnauticus CA
        Validity
            Not Before: Mar 17 04:06:07 2018 GMT
            Not After : Mar 14 04:06:07 2028 GMT
        Subject: CN=nightvine
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:dc:6d:09:24:41:9d:0c:28:ee:f0:4a:de:6e:ac:
                    e7:80:30:6c:b4:be:5e:f5:24:ec:54:11:ff:22:6b:
                    8e:ef:e2:cb:00:9f:e1:6f:bd:07:bc:e5:83:aa:27:
                    89:20:21:2a:8b:c4:a6:17:90:99:19:ad:b5:60:57:
                    21:ca:16:d7:70:a0:da:3f:2f:a2:cf:24:c2:0b:28:
                    37:88:b8:ae:82:be:67:92:46:bd:e2:f9:f5:71:01:
                    95:c2:13:11:14:34:1d:69:8e:06:4d:db:dc:3c:f8:
                    16:3a:84:d0:ac:76:9e:38:10:39:90:3b:a9:9c:b2:
                    40:50:d2:fc:d8:c1:08:0a:4f:c1:10:76:a2:30:43:
                    77:dc:c6:c2:f5:e7:6d:81:73:7c:8e:c0:52:5d:84:
                    07:4a:bc:10:62:57:22:ba:71:4e:9a:c2:14:cf:ab:
                    02:a4:45:e1:9e:bb:6e:92:6c:e3:e3:20:38:4d:bd:
                    70:68:49:b7:66:18:40:28:e9:0d:09:70:df:85:0d:
                    8a:c5:7f:1c:61:5c:5e:d6:c5:1e:16:de:ed:0e:f8:
                    ea:11:47:8e:3b:47:e8:04:62:79:f1:67:8d:e0:1c:
                    d7:2a:14:3c:2c:b9:af:b6:26:34:00:87:d6:58:19:
                    07:97:16:4d:c8:8b:67:0b:59:97:5a:a0:2c:83:d6:
                    7a:75
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                A7:DE:12:52:50:57:B7:46:F7:AC:93:EA:DC:97:9D:D8:4E:B3:36:89
            X509v3 Authority Key Identifier:
                keyid:10:9B:C4:26:94:15:9B:BF:6F:75:EB:6E:34:C5:D0:99:1E:7E:4E:45
                DirName:/CN=Obnauticus CA
                serial:FC:47:68:F4:C6:36:73:FC

[b]            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Key Usage:
                Digital Signature[/b]
    Signature Algorithm: sha256WithRSAEncryption
         54:ed:4f:ce:d7:95:51:d6:93:54:41:d5:d9:89:a5:8d:03:89:
         97:6e:5a:74:7f:76:47:39:70:39:03:bd:0b:1d:25:72:df:31:
         35:49:d4:3c:73:16:20:ae:ed:1b:9c:e6:75:76:cc:3d:bb:68:
         fd:62:fe:3c:af:ff:1f:b1:cd:38:60:e8:9d:62:e7:4f:57:82:
         f9:0a:92:5f:f5:65:1e:59:da:8f:50:56:cd:ca:04:98:19:a5:
         23:8a:50:ec:8c:b3:a2:2c:d2:3e:1b:ac:29:65:94:1a:31:60:
         14:d7:ba:0a:0d:8b:f9:6e:6c:5a:28:ee:ee:da:53:df:92:2d:
         92:42:7d:aa:75:a2:8a:9d:d5:0e:97:26:00:b5:03:e2:f7:ad:
         67:53:0b:0f:b0:a0:48:2f:42:0a:10:07:9d:17:80:cc:4e:c3:
         25:c0:1f:3f:ff:e3:8c:86:40:eb:79:68:e3:47:01:8e:3d:e7:
         e5:f9:3d:4f:f7:45:e5:93:7f:38:a2:fd:06:60:11:82:6e:d6:
         2d:f1:38:07:99:67:8d:c1:55:b9:42:84:82:28:3c:55:48:5a:
         e5:8c:f9:25:04:d5:e9:53:d0:14:c8:a3:e1:68:de:c4:40:f1:
         6b:6e:55:bc:3d:1f:54:2a:91:65:20:98:ad:78:3d:54:3e:68:
         45:5a:a2:83
-----BEGIN CERTIFICATE-----

* REDACTED *

-----END CERTIFICATE-----
I've tested the certificate connection using openssl s_server/s_client and I'm able to get a valid TLSv1.2 session:

s_client -> s_server connection (from s_client perspective):

Code: Select all

$ openssl s_client -msg -verify -tls1_2  -state -showcerts -cert nightvine.crt -key nightvine.key -connect localhost:1112
verify depth is 0
CONNECTED(00000003)
SSL_connect:before/connect initialization
>>> TLS 1.2 Handshake [length 0122], ClientHello
     [REMOVED BECAUSE TOO LARGE]
SSL_connect:unknown state
<<< TLS 1.2 Handshake [length 0042], ServerHello
     [REMOVED BECAUSE TOO LARGE]
SSL_connect:SSLv3 read server hello A
<<< TLS 1.2 Handshake [length 0382], Certificate
     [REMOVED BECAUSE TOO LARGE]
depth=0 CN = server
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = server
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = server
verify error:num=21:unable to verify the first certificate
verify return:1
SSL_connect:SSLv3 read server certificate A
<<< TLS 1.2 Handshake [length 014d], ServerKeyExchange
     [REMOVED BECAUSE TOO LARGE]
SSL_connect:SSLv3 read server key exchange A
<<< TLS 1.2 Handshake [length 002a], CertificateRequest
     [REMOVED BECAUSE TOO LARGE]
SSL_connect:SSLv3 read server certificate request A
<<< TLS 1.2 Handshake [length 0004], ServerHelloDone
     [REMOVED BECAUSE TOO LARGE]
SSL_connect:SSLv3 read server done A
>>> TLS 1.2 Handshake [length 035f], Certificate
     [REMOVED BECAUSE TOO LARGE]
SSL_connect:SSLv3 write client certificate A
>>> TLS 1.2 Handshake [length 0046], ClientKeyExchange
     [REMOVED BECAUSE TOO LARGE]
SSL_connect:SSLv3 write client key exchange A
>>> TLS 1.2 Handshake [length 0108], CertificateVerify
     [REMOVED BECAUSE TOO LARGE]
SSL_connect:SSLv3 write certificate verify A
>>> TLS 1.2 ChangeCipherSpec [length 0001]
    01
SSL_connect:SSLv3 write change cipher spec A
>>> TLS 1.2 Handshake [length 0010], Finished
    14 00 00 0c 70 ea 66 98 ec 8f 0d 05 f5 0c 12 55
SSL_connect:SSLv3 write finished A
SSL_connect:SSLv3 flush data
<<< TLS 1.2 Handshake [length 040a]???
     [REMOVED BECAUSE TOO LARGE]
SSL_connect:SSLv3 read server session ticket A
<<< TLS 1.2 ChangeCipherSpec [length 0001]
    01
<<< TLS 1.2 Handshake [length 0010], Finished
    14 00 00 0c 5c a4 49 1d 67 55 2a ee dc e8 0f 81
SSL_connect:SSLv3 read finished A
---
Certificate chain
 0 s:/CN=server
   i:/CN=Obnauticus CA
-----BEGIN CERTIFICATE-----
 [REMOVED BECAUSE TOO LARGE]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=server
issuer=/CN=Obnauticus CA
---
No client certificate CA names sent
---
SSL handshake has read 2453 bytes and written 1558 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID:  [REMOVED BECAUSE TOO LARGE]
    Session-ID-ctx:
    Master-Key:  [REMOVED BECAUSE TOO LARGE]
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
 [REMOVED BECAUSE TOO LARGE]
    Start Time: 1521329730
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
TEST
s_server -> s_client connection (from s_server perspective):

Code: Select all

$ openssl s_server -msg -verify -tls1_2 -state -cert server.crt -key server.key -accept 1112
verify depth is 0
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
SSL_accept:before/accept initialization
<<< TLS 1.2 Handshake [length 0122], ClientHello
    [REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 read client hello A
>>> TLS 1.2 Handshake [length 0042], ServerHello
    [REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 write server hello A
>>> TLS 1.2 Handshake [length 0382], Certificate
    [REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 write certificate A
>>> TLS 1.2 Handshake [length 014d], ServerKeyExchange
    [REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 write key exchange A
>>> TLS 1.2 Handshake [length 002e], CertificateRequest
    [REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 write certificate request A
SSL_accept:SSLv3 flush data
<<< TLS 1.2 Handshake [length 035f], Certificate
    [REMOVED BECAUSE TOO LARGE]
depth=0 CN = nightvine
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = nightvine
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = nightvine
verify error:num=21:unable to verify the first certificate
verify return:1
SSL_accept:SSLv3 read client certificate A
<<< TLS 1.2 Handshake [length 0046], ClientKeyExchange
    [REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 read client key exchange A
<<< TLS 1.2 Handshake [length 0108], CertificateVerify
    [REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 read certificate verify A
<<< TLS 1.2 ChangeCipherSpec [length 0001]
    01
<<< TLS 1.2 Handshake [length 0010], Finished
    14 00 00 0c 70 ea 66 98 ec 8f 0d 05 f5 0c 12 55
SSL_accept:SSLv3 read finished A
>>> TLS 1.2 Handshake [length 040a]???
    [REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 write session ticket A
>>> TLS 1.2 ChangeCipherSpec [length 0001]
    01
SSL_accept:SSLv3 write change cipher spec A
>>> TLS 1.2 Handshake [length 0010], Finished
    [REMOVED BECAUSE TOO LARGE]
SSL_accept:SSLv3 write finished A
SSL_accept:SSLv3 flush data
-----BEGIN SSL SESSION PARAMETERS-----
[REMOVED BECAUSE TOO LARGE]
-----END SSL SESSION PARAMETERS-----
Client certificate
-----BEGIN CERTIFICATE-----
[REMOVED BECAUSE TOO LARGE]
-----END CERTIFICATE-----
subject=/CN=nightvine
issuer=/CN=Obnauticus CA
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
TEST

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5127
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate Validation Error Using Easy-RSA

Post by TinCanTech » Sun Mar 18, 2018 9:43 pm

obnauticus wrote:
Sat Mar 17, 2018 11:40 pm
VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=server
obnauticus wrote:
Sat Mar 17, 2018 11:40 pm
I have generated the keys using EasyRSA and correct EKU/KU settings (for server and client)
obnauticus wrote:
Sat Mar 17, 2018 11:40 pm
--------------------------SERVER CERTIFICATE--------------------------
<snip>
(0x10001) X509v3 extensions: Netscape Cert Type: SSL Server
This requires --ns-cert-type client|server DEPRECATED

See --remote-cert-tls & --ns-cert-type in The Manual v24x

You may also find this useful:
https://github.com/OpenVPN/easy-rsa/releases

Post Reply