Use signed certificate

Need help configuring your VPN? Just post here and you'll get that help.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Darkuja
OpenVpn Newbie
Posts: 3
Joined: Mon Oct 03, 2011 9:36 am

Use signed certificate

Post by Darkuja » Mon Oct 03, 2011 9:56 am

Hi

I am actually trying to used our signed certificate fo our server. Everyone should be able to log in without any certificate. I've made a test with a self-signed and it works perfectly. I just put the ca.cert and the .ovpn in the client configuration folder and it's good. I'd like to make the same, but with our certificate now.

Here is my configuration:

Code: Select all

port 1194
proto udp
dev tun
ca GeoTrust_Global_CA.cer
cert lafourchette.com.pem
key lafourchette.com.key
dh dh2048.pem
server ***** 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route **** 255.255.254.0"
push "route **** 255.255.255.240"
push "route **** 255.255.255.240"
push "dhcp-option DOMAIN ****.lan"
push "dhcp-option DNS ****"
push "dhcp-option DNS ****"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
client-cert-not-required
Here is a log from the client:

Code: Select all

Mon Oct 03 11:23:27 2011 Restart pause, 2 second(s)
Mon Oct 03 11:23:29 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Oct 03 11:23:29 2011 NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion
Mon Oct 03 11:23:29 2011 Re-using SSL/TLS context
Mon Oct 03 11:23:29 2011 LZO compression initialized
Mon Oct 03 11:23:29 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Oct 03 11:23:29 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Oct 03 11:23:29 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Oct 03 11:23:29 2011 Local Options hash (VER=V4): '41690919'
Mon Oct 03 11:23:29 2011 Expected Remote Options hash (VER=V4): '530fdded'
Mon Oct 03 11:23:29 2011 UDPv4 link local: [undef]
Mon Oct 03 11:23:29 2011 UDPv4 link remote: ****:1194
Mon Oct 03 11:23:29 2011 TLS: Initial packet from ****:1194, sid=13fe57af 03535ce2
Mon Oct 03 11:23:30 2011 VERIFY OK: depth=2, /C=US/O=GeoTrust_Inc./CN=GeoTrust_Global_CA
Mon Oct 03 11:23:30 2011 VERIFY OK: depth=1, /C=US/O=GeoTrust__Inc./CN=RapidSSL_CA
Mon Oct 03 11:23:30 2011 VERIFY nsCertType ERROR: /serialNumber=CakKRQGp02EewpGOLxx-r1QLXGaGl60Q/C=FR/O=_.lafourchette.com/OU=GT72845239/OU=See_www.rapidssl.com/resources/cps__c_11/OU=Domain_Control_Validated_-_RapidSSL_R_/CN=_.lafourchette.com, require nsCertType=SERVER
Mon Oct 03 11:23:30 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Oct 03 11:23:30 2011 TLS Error: TLS object -> incoming plaintext read error
Mon Oct 03 11:23:30 2011 TLS Error: TLS handshake failed
Mon Oct 03 11:23:30 2011 TCP/UDP: Closing socket
Mon Oct 03 11:23:30 2011 SIGUSR1[soft,tls-error] received, process restarting
Mon Oct 03 11:23:30 2011 Restart pause, 2 second(s)
I probably missed something here, but can't see what :(

Any advice?
Last edited by Darkuja on Mon Oct 03, 2011 12:49 pm, edited 1 time in total.
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: Use signed certificate

Post by janjust » Mon Oct 03, 2011 11:45 am

you've built your server cert using
./build-key <server>
or something similar yet your client expects the certificate to have a Netscape "server" attribute:
VERIFY nsCertType ERROR: /serialNumber=CakKRQGp02EewpGOLxx-r1QLXGaGl60Q/C=FR/O=_.lafourchette.com/OU=GT72845239/OU=See_www.rapidssl.com/resources/cps__c_11/OU=Domain_Control_Validated_-_RapidSSL_R_/CN=_.lafourchette.com, require nsCertType=SERVER
either generate a certificate that has this attribute (e.g. using './build-key-server') or remove the line

Code: Select all

ns-cert-type server
from the client config.
Top
Darkuja
OpenVpn Newbie
Posts: 3
Joined: Mon Oct 03, 2011 9:36 am

Re: Use signed certificate

Post by Darkuja » Mon Oct 03, 2011 12:14 pm

Hmm...

Maybe I wasn't clear. The certificate has been isued by a trusted CA (RapidSSL) and is not self-signed.
I can't use ./build-key-server since I didnt generate the certificate and their is no "ns-cert-type server" in the client configuration
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: Use signed certificate

Post by janjust » Mon Oct 03, 2011 12:31 pm

Please post the client config - I just tried connecting to your server and did not get any SSL errors from the server (of course, the server did not accept me, but that'a different matter).
Top
Darkuja
OpenVpn Newbie
Posts: 3
Joined: Mon Oct 03, 2011 9:36 am

Re: Use signed certificate

Post by Darkuja » Mon Oct 03, 2011 12:48 pm

My bad. when i stripped off the comments, i noticed the "ns-cert-type server" line. I failed my ctrl-f.
This is solved when I removed this.

Is this still as secure as before?
Top
User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:
Contact janjust

Re: Use signed certificate

Post by janjust » Mon Oct 03, 2011 8:45 pm

'ns-cert-type server' serves as an extra precaution so that your vpn clients will only connect to a machine that has a server certificate; the 'ns-cert-type' attribute is a little out of date, newer server-only certificates have a different attribute set. You can check for the existence of this attribute using

Code: Select all

remote-cert-tls server
(openvpn 2.1+)
Top
Post Reply

Return to “Configuration”