How to ask for cert password on Client?

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
jsarachaga
OpenVpn Newbie
Posts: 3
Joined: Mon Nov 28, 2022 6:27 pm

How to ask for cert password on Client?

Post by jsarachaga » Tue Nov 29, 2022 8:25 pm

Hello everyone

I'm fooling around with the easy-rsa pass option, that is, when i generate a client certificate on the server instead of using
./easyrsa build-client-full VPNCLIENT nopass

i switched for "pass", and it asked for a passphrase when creating it and everything finished OK.

I used this new certificate on the client and when i try to connect i get this error. I know that's because of the missing passphrase, but i don't know how to make the GUI Client to ask for it...
...
2022-11-29 13:47:48 Restart pause, 5 second(s)
2022-11-29 13:47:53 OpenSSL: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
2022-11-29 13:47:53 OpenSSL: error:0D06C03A:asn1 encoding routines:asn1_d2i_ex_primitive:nested asn1 error
2022-11-29 13:47:53 OpenSSL: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
2022-11-29 13:47:53 OpenSSL: error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib
2022-11-29 13:47:53 Cannot load private key file [[INLINE]]
2022-11-29 13:47:53 SIGUSR1[soft,private-key-password-failure] received, process restarting
2022-11-29 13:47:53 MANAGEMENT: >STATE:1669751273,RECONNECTING,private-key-password-failure,,,,,
2022-11-29 13:47:53 Restart pause, 5 second(s)
2022-11-29 13:47:56 SIGTERM[hard,init_instance] received, process exiting
2022-11-29 13:47:56 MANAGEMENT: >STATE:1669751276,EXITING,init_instance,,,,,

Prpbably i'm misunderstanding the pass/nopass parameter, but what i0m trying to accomplish is to protect the config file in case of physical tampering, where if you don't have the password the client config file is useless.

Regards

User avatar
Pippin
Forum Team
Posts: 1200
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: How to ask for cert password on Client?

Post by Pippin » Tue Nov 29, 2022 8:47 pm

Hi,

Looks like you need --askpass, it's described in the manual:
https://build.openvpn.net/man/openvpn-2 ... vpn.8.html
.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

jsarachaga
OpenVpn Newbie
Posts: 3
Joined: Mon Nov 28, 2022 6:27 pm

Re: How to ask for cert password on Client?

Post by jsarachaga » Tue Nov 29, 2022 9:11 pm

Thanks Pippin

I added "askpass" in the config file just before the certificates, it asks for a password but the error remains the same, i'm not sure if i need to tell the script to use that password as a cert password?

User avatar
Pippin
Forum Team
Posts: 1200
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: How to ask for cert password on Client?

Post by Pippin » Tue Nov 29, 2022 9:35 pm

Which GUI version is this?
.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

jsarachaga
OpenVpn Newbie
Posts: 3
Joined: Mon Nov 28, 2022 6:27 pm

Re: How to ask for cert password on Client?

Post by jsarachaga » Tue Nov 29, 2022 10:41 pm


User avatar
Pippin
Forum Team
Posts: 1200
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: How to ask for cert password on Client?

Post by Pippin » Wed Nov 30, 2022 5:40 pm

Hi,

Looks like something wrong with the configuration file's formatting.
You use inline files, make sure to use a 'unix line ending' capable editor.
If on Windows you can try Notepad++ (set it to unix line endings)
.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

Post Reply