OpenVPN Connect certificate error

[ScorpionSX]

Hi guys, first of all, let me thank you for the official OpenVPN client for iOS - feature, which was really missed! Good job!

Now to my question/problem. I have an IPCop firewall running an OpenVPN server, which works well for all the Windows clients, the firewall provides GUI to setup the server and also sort of "all-in-one" ZIP package to copy to clients - it's basically a .ovpn file with .p12 file for authentication.
Also there are certificates created during the setup of the OpenVPN server.
Now, when I extract this ZIP package to Windows OpenVPN GUI client, I can connect in one click, all I need is to input password and that's it. But, when I'm trying to use the same files on my iOS devices (iP4S and iPad 3rd gen, both iOS 6.0.1), I get an error regarding format of certificate used, for example:

Code: Select all

2013-01-22 20:05:10 ----- OpenVPN Start -----
2013-01-22 20:05:10 EVENT: CORE_ERROR PolarSSL: error parsing ca certificate : X509 - The certificate format is invalid, e.g. different type expected [ERR]
2013-01-22 20:05:10 Raw stats on disconnect:
2013-01-22 20:05:10 Performance stats on disconnect:
  CPU usage (microseconds): 11989
  Network bytes per CPU second: 0
  Tunnel bytes per CPU second: 0
2013-01-22 20:05:10 ----- OpenVPN Stop -----
2013-01-22 20:05:10 EVENT: DISCONNECT_PENDING

Basically all I do, is import the .p12 file into my iOS Keychain, install it there (it says it's a "certificate") and then select it in the OpenVPN Connect app.
So what am I doing wrong? Please keep in mind that I'm new at this, and this is literally the first time I'm setting something like this up myself (PC or mobile device).

Thanks in advance for reply.

Kind regards,
Roman.

[bisko]

This also happens when trying to add a VPN on demand through iPhone configuration utility.

There seems to be some general problem with the PKCS#12 format of the certificates. I have tried generating a file with all ca,cert,key; cert.key combined with defining ca, cert, key properties in the configurable parameters.

There seems to be something missing from the documentation, because even following it letter for letter it doesn't seem to work and it throws the error above.

Also the .p12 files I generated above are not working as separate configurations when importing directly to the iOS device with the appropriate .ovpn config - same error occurs at the moment .p12 file is introduced to the setup.

[fsoares]

Hi guys,

Same problem here. It works fine for windows computers and GuizmOVPN for IOS, but I can't make it work with the OpenVPN official app.

Regards,
Felipe

[jamesyonan]

My guess is that there is something in the certificate that PolarSSL doesn't like. If you don't mind emailing us the certificate ( ios@openvpn.net ), we can take a look at it.

The iOS client uses PolarSSL (instead of OpenSSL) because it's lightweight and more suitable for mobile, however PolarSSL hasn't been used with OpenVPN as extensively as OpenSSL, so it's possible there are subtle differences in certificate support.

James

[ScorpionSX]

E-mail sent. Thanks for looking into this issue, I hope we (or probably mostly you) can come up with some solution.

Roman

[berndi74]

Hi,

I have the same problem too.
Tried it with SCEP and p12 files always get the parsing error.

Regards,
bernd

[fregatte]

I had the same issue.

What finally works was keeping (additionally) the ca.crt in the xxx.ovpn file in plain text at the bottom (with <ca> ... </ca>) and importing the client.key and client.crt via one xxx.p12 file (I also let the ca.crt data stay within the .p12), so that these files are accessible via keychain.

Hope this might work for others as well.

fregatte

[jamesyonan]

Right, make sure to include a ca directive in your profile, even if you are using a PKCS#12 cert/key pair from the Keychain. On iOS in particular, OpenVPN is NOT able to access the CA list included in PKCS#12 files that were imported into the iOS Keychain.

If the ca directive is not included, you will see errors such as this:

• PolarSSL: error parsing ca certificate : X509 - The certificate format is invalid, e.g. different type expected

or

• PolarSSL: ca certificate is undefined

You can extract the CA list from the PKCS12 file using this openssl command:

Code: Select all

openssl pkcs12 -in client.p12 -cacerts -nokeys -out ca.crt

Then add a reference to ca.crt in your profile

Code: Select all

ca ca.crt

or expand the certs inline such as

Code: Select all

<ca>
[paste contents of ca.crt here]
</ca>

[ScorpionSX]

@jamesyonan
Thanks for your advice, this was perfectly helpful! Now it's working like a charm! Thanks again

[SvenA]

Hi!

I had the same error:
certificate : X509 - The certificate format is invalid, e.g. different type expected [ERR]

I configured the connection with the certificate and key stored in the iPhone's certificate storage. In the storage I stored the CA and user certifcate separately.

The App tries to check the client certificate but fails, because the CA is missing. Adding the CA to the .ovpn file solved the problem.

I think the App should recognize, if the CA is missing and request the user to select the CA from the storage too.

Regards
Sven

PS: Is there a bug tracker for the iOS Apps?

[ffournier]

With my whole configuration included in a single .ovpn, the new iOS client gives me the "EVENT: CORE_ERROR PolarSSL: error parsing ca certificate : X509 - The certificate format is invalid, e.g. different type expected [ERR]" error.

But after moving the <ca>...</ca> block to the end of the file, I stop getting the certificate format error and instead I get a server timeout. On the server side I do see the packets come in on udp 1194, and the logs show these messages for each packet received :
Wed Feb 6 11:19:56 2013 us=266235 Authenticate/Decrypt packet error: packet HMAC authentication failed
Wed Feb 6 11:19:56 2013 us=266313 TLS Error: incoming packet authentication failed from [ip:port]

I tried transferring the .ovpn by e-mail and through Dropbox so I'm confident it's not being mangled. I tried adding padding to the end of the file and in between the different inline certificate & key definitions, no help.

The exact same .ovpn configuration file works with the Windows client 2.3.0 and my colleague with an almost identical file (using his own key basically) can connect using the Android client.

[ffournier]

And I get the same results now after converting my personal key & crt to a pkcs12 file that I imported to the iPhone's key store, and removing them from the .ovpn file. This time OpenVPN Connect asked me to select the key from a menu when I imported the new .ovpn.

If anyone's interested the conversion to pkcs12 was done using the following command on the server:

openssl pkcs12 -export -in ffournier3.crt -inkey ffournier3.key -out ffournier3.p12

[ffournier]

One last thing, I think I'm not getting through because we're using a static key for TLS, defined with a <tls-auth> block in the ovpn, which will only be supportet on iOS in the 1.0.1 version which isn't available yet.

So it appears that the whole certificate format error might have been circumvented simply by moving the <ca> block down to the bottom of the .ovpn file. Hope this all helps someone somewhere, as for me I'll wait for 1.0.1 for now.

[alxrogan]

First off, I apologize if I'm retreading existing ground, but most of the answers seem to be focused around putting the CA information directly into the client.ovpn file, then using iTunes or e-mail to send the file(s) to the device itself.

What i was trying to do was to use the iPhone Configuration Utility (IPCU) to create a profile to do the same thing, but also allow "Connect on Demand" so that the iPhone could dynamically create a VPN tunnel when certain traffic is detected. When you use the IPCU you essentially recreate the client.ovpn file (as I understand it) using key/value pairs to set the parameters from the client file. Based on this, has anyone been able to insert the CA certificate into the key/value pair and get that to work?

Am I totally off base on this?

Thanks,
Alx

[alxrogan]

FYI, I have gotten this working using the iTunes/E-mail client.ovpn method and importing the ca.crt and client.p12 separately. Just seems to be a breakdown how the IPCU creates the .plist file for OpenVPN so that PolarSSL can recognize the CA cert.

[janhoedt]

Great post. However, it doesn’t work for me.

I also had guizmo openvpn which worked fine (just a zip on my IOS which contained the ca.crt and configuration.ovpn). I could perfectly connect to my Synology openvpn-server.
I don’t have a p12 file or don’t know where to find it(?!).

I copied the certificate from the ca.crt in my configuration file and imported a .der file (made from ca.crt via openssl command line since Iphone doesn’t import an .crt apparently) on my Iphone.
However, I still get the error that polarssl cannot see/find the certificate. Found also post that mentions to use “whatever certificate”: http://askubuntu.com/questions/250324/s ... -ovpn-file and copied the private key from there (don’t have one). Also topic12011.html mentions it.

Here are combinations I tried, please advise.
Note: I need protocol to be tcp

client
dev tun
tls-client
remote myremoteserver.com 80
comp-lzo
proto tcp-client
<cert>
-----BEGIN CERTIFICATE-----

MIIDTTCCAragAwIBAg ...
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcA ...
-----END PRIVATE KEY-----
</key>
resolv-retry infinite






client
dev tun
nobind
persist-key
persist-tun
auth-user-pass
#tls-auth ta.key 1
#ca ca.crt
proto tcp-client
pull
comp-lzo
verb 4
<cert>
-----BEGIN CERTIFICATE-----
MIIDTTCCAragAwIBAgIJANIHBUe+5iS2MA0GCSqGSIb3DQEBBQUAMIGnMQswCQYD
VQQGEwJUV...-----END CERTIFICATE-----

</cert>

<key>
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALVEXIZYYu1Inmej
uo4Si6Eo5AguTX5sg1pGbLkJSTR4BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlU
tWnVCwCYtewYfEc/+azH7+7eU6ueT2K2IKdik1KhdtNbaNphVvSlgdyKiuZDTCe
dptgWyiL50N7FMcUUMjjXYh/hftBAgMBAAEC...-----END PRIVATE KEY-----
</key>

remote myserver.com 80

[$e§o]

Right, make sure to include a ca directive in your profile, even if you are using a PKCS#12 cert/key pair from the Keychain. On iOS in particular, OpenVPN is NOT able to access the CA list included in PKCS#12 files that were imported into the iOS Keychain.

If the ca directive is not included, you will see errors such as this:

• PolarSSL: error parsing ca certificate : X509 - The certificate format is invalid, e.g. different type expected

or

• PolarSSL: ca certificate is undefined

You can extract the CA list from the PKCS12 file using this openssl command:

Code: Select all

openssl pkcs12 -in client.p12 -cacerts -nokeys -out ca.crt

Then add a reference to ca.crt in your profile

Code: Select all

ca ca.crt

or expand the certs inline such as

Code: Select all

<ca>
[paste contents of ca.crt here]
</ca>

Hello... I found this post by surfing the net. It seems that it will resolve my problem, the point is that I cannot understand the process I need to do. I am not really in certificates, I am actually using it on windows 7 OS to be able to "open a bridge" towards a particular network and it works. I need to use openvpn also with my iphone/ipad (so with iOS), but i get the "PolarSSL: ca certificate is undefined" error.
I have two files, the first is the .opvn file (where I think I lack the "ca.crt", do not what it is) and the PKCS12 file. Can you support me in extracting the CA list from the PKCS12?

Thank you in advance

[seriouslywtf]

Ok, I'm beat. I keep getting the error "CERT_VERIFY_FAIL PolarSSL: SSL read error : X509 - Certificate verification failed, e.g. CRL, CA, or signature check failed" when I try to connect.

My config file:

client
remote xxx.xxx.xxx 443
dev tun
proto udp
status /var/openvpn/current_status
resolv-retry infinite
ns-cert-type server
topology subnet
verb 5

cipher AES-128-CBC


<ca>
blah
</ca>

<cert>
blah blah
</cert>

<key>
blah blah blah
</key>

nobind
persist-key
persist-tun
comp-lzo

I've been trying to make this work since version 1.0. When I couldn't, I just chalked it up to a bug and patiently waited for 1.0.1. Needless to say, this is driving me nuts now. If it matters any, the OpenVPN server in my setup is my home router running Gargoyle/OpenWRT (Backfire). I did post on both the Gargoyle and OpenWRT forums to no avail (received no responses). Obviously, I'm doing something wrong but I have no idea what that may be.

I've tried embedding all the certs in the .ovpn file, and dropping them into the app (using iTunes) downloaded from the server as/is. Makes no difference which way I try it....connection fails every time.

Much thanks to any kind soul that can get me pointed in the right direction.

[D0ckW0rka]

Hi

and first of all thanks for this app, even if I'm not 100% happy with it as it doesn't seem to work correctly with P12-Files.
The mentioned workaround works pretty fine.
Just for info, my working client-conf (whitout server validation) for the IOS-App:

client
dev tun
proto tcp
remote server.address port.nr
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
</key>
verb 3
mute 50
tls-client
comp-lzo

[Nucleardragon]

Hello Guys!

Can somebody tell me the iOS OpenVPN / polarssl can support SHA512 or only SHA1?
My iPad OpenVPN client you do not see *. P12 certificate (I proboval generate *. P12 certificate using the RSA private key and private key standard format). Perhaps the problem is the SHA-512, I have not tried it yet SHA-1, but to use the SHA1 for me is not acceptable

Do I understand correctly that the private client key file must be in the RSA (----- BEGIN RSA PRIVATE KEY -----)?
That is, need to do convert to the RSA format
Example:

Code: Select all

openssl rsa-in client.key-out client_rsa.key

It is not clear, the iOS client can support or not elliptic curves?

More information about the elliptic curve cryptography in OpenVPN see here:
post32747.html#p32747

In theory polarssl supports elliptic curves, see here:
https://polarssl.org/core-features for example "secp521r1", but how it will work in OpenVPN...?