Problem Authorizing with certificates

[AndrewXM]

Here's the error I'm getting when trying to authorize using certificates (I was previously using pam_unix authentication, and things were working fine).

I followed https://help.ubuntu.com/community/OpenVPN to generate my SSL certificates.

Code: Select all

Sun May 22 15:32:01 2011 us=334764 ***.***.***.34:55919 Local Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Sun May 22 15:32:01 2011 us=334826 ***.***.***.34:55919 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Sun May 22 15:32:01 2011 us=334913 ***.***.***.34:55919 Local Options hash (VER=V4): '162b04de'
Sun May 22 15:32:01 2011 us=334980 ***.***.***.34:55919 Expected Remote Options hash (VER=V4): '9e7066d2'
Sun May 22 15:32:01 2011 us=335096 ***.***.***.34:55919 TLS: Initial packet from [AF_INET]***.***.***.34:55919, sid=33f0c0e1 13ae1f43
Sun May 22 15:32:01 2011 us=905300 ***.***.***.34:55919 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=US/ST=**/L=***/O=**********_Enterprises/CN=**********_*****_CA/emailAddress=administrator@**********.net
Sun May 22 15:32:01 2011 us=905622 ***.***.***.34:55919 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sun May 22 15:32:01 2011 us=905693 ***.***.***.34:55919 TLS Error: TLS object -> incoming plaintext read error
Sun May 22 15:32:01 2011 us=905693 ***.***.***.34:55919 TLS Error: TLS object -> incoming plaintext read error
Sun May 22 15:32:01 2011 us=905758 ***.***.***.34:55919 TLS Error: TLS handshake failed
Sun May 22 15:32:01 2011 us=905758 ***.***.***.34:55919 TLS Error: TLS handshake failed
Sun May 22 15:32:01 2011 us=905931 ***.***.***.34:55919 SIGUSR1[soft,tls-error] received, client-instance restarting

Server configuration:

Code: Select all

local 0.0.0.0
port 1194
proto udp
dev tun

ca   /etc/openvpn/certs/keys/01.pem
cert /etc/openvpn/certs/keys/server.crt
key  /etc/openvpn/certs/keys/server.key
dh   /etc/openvpn/certs/keys/dh1024.pem

tls-auth /etc/openvpn/certs/keys/ta.key 0
tls-server
;plugin /usr/lib/openvpn/openvpn-auth-pam.so login

cipher AES-256-CBC
client-to-client
comp-lzo
server 10.8.1.0 255.255.255.0
duplicate-cn
keepalive 30 120
max-clients 10
;user nobody
;group nobody
persist-key
persist-tun
log    /var/log/openvpn/server.log
status /var/log/openvpn/server-status.log
verb 4
mute 20

;client-cert-not-required
;username-as-common-name
push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"

Client Wise..

Code: Select all

client
dev tun
proto udp
remote ***.***.***182 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
cipher AES-256-CBC
ca /home/user/.vpn/ca.crt
comp-lzo
verb 4
;auth-user-pass
ipchange /etc/openvpn/add_default_route.sh
script-security 2

cert /home/user/.vpn/client.crt
key /home/user/.vpn/client.key
tls-auth /home/user/.vpn/ta.key 1

[janjust]

A self signed certificate error often means that the wrong CA is used to sign a certificate with.
For all practical purposes, the ca.crt file on the client and server needs to be the same - please verify that you have properly generated the CA and client certificates.

[AndrewXM]

I retraced my steps three times, and ended up with the same error.

Following https://help.ubuntu.com/community/OpenVPN :

Code: Select all

# ./build-dh
# ./pkitool --initca
# ./pkitool --server server
# cd keys/
# openvpn --genkey --secret ta.key
# cd ..
# source ./vars 
#./pkitool andrewxm

The sha1sums match for the deployed certificate files between the server and the client.

[janjust]

post the output of

Code: Select all

openssl x509 -subject -issuer -noout -in andrewxm.crt
openssl x509 -subject -issuer -noout -in ca.crt
openssl verify -CAfile keys/ca.crt andrewxm.crt

that should give a clue whether the certificate path is valid.

[AndrewXM]

post the output of

Code: Select all

openssl x509 -subject -issuer -noout -in andrewxm.crt
openssl x509 -subject -issuer -noout -in ca.crt
openssl verify -CAfile keys/ca.crt andrewxm.crt

that should give a clue whether the certificate path is valid.

Looks file to me..

Code: Select all

# openssl x509 -subject -issuer -noout -in ca.crt
subject= /C=US/ST=WA/L=**********/O=********** **********/CN=********** ********** CA/emailAddress=administrator@**********.net
issuer= /C=US/ST=WA/L=**********/O=********** **********/CN=********** ********** CA/emailAddress=administrator@**********.net

# openssl x509 -subject -issuer -noout -in andrewxm.crt
subject= /C=US/ST=WA/L=**********/O=********** **********/CN=andrewxm/emailAddress=administrator@**********.net
issuer= /C=US/ST=WA/L=**********/O=********** **********/CN=********** ********** CA/emailAddress=administrator@**********.net

# openssl verify -CAfile ca.crt andrewxm.crt
andrewxm.crt: OK

[janjust]

and the last command

Code: Select all

openssl verify -CAfile keys/ca.crt andrewxm.crt

returned 'OK' ? then the client cert is indeed valid.

Make sure this ca.crt certificate is indeed the one configured on the server (check the full path to the ca.crt file on the server config).

[AndrewXM]

and the last command

Code: Select all

openssl verify -CAfile keys/ca.crt andrewxm.crt

returned 'OK' ? then the client cert is indeed valid.

Make sure this ca.crt certificate is indeed the one configured on the server (check the full path to the ca.crt file on the server config).

The files sha1sums match.

[janjust]

whoa! just noticed this in your server setup

ca /etc/openvpn/certs/keys/01.pem

that should be

Code: Select all

ca   /etc/openvpn/certs/keys/ca.crt

[AndrewXM]

whoa! just noticed this in your server setup

ca /etc/openvpn/certs/keys/01.pem

that should be

Code: Select all

ca   /etc/openvpn/certs/keys/ca.crt

Yep, I found that out just a minute ago!
Thanks a lot!