error=self signed certificate in certificate chain

[georget]

Hi guys,

I am about to loose my mind; how is it possible for my openvpn client to remember old certificates even though I have format and reinstalled the server OS, unistalled client software and deleted all certificates? I have also used a different client pc.

thank u

[maikcat]

where they signed by the SAME ca?

Michael.

[georget]

Kalhmera maikcat,

I am not an expert on this, to understand what constitutes "signed by the same authority"...the story goes like this:

1. Tried to set-up the openvpn server and client with the help of instructions found on goggle; didn't work.
2. Most likely before I proceeded to step 3, I did format and re-install the Rasbian OS.
3. Found some other instructions on you-tube and finally I was able to get both my iPhone and pc clients to connect from local lan and outside lan with no problem.
4. I tried to relocate my raspberry-pi and after a reboot, for some reason my client were trying to authenticate with the certificates from step 1; I can tell this from the info that I imported while I was creating the certificates.
5. I have again un-install everything, OS-client software - certificated, and started everything from scratch, I can connect locally with no problems, but when I tried to connect from outside WAN, the error message point to the fact the my client loads the certificates from step 1.

I am lost since I don't know how it is possible to find old certificated after deleting and re-installing everything, at least 4-5 times.

Thank you

Giorgos

[maikcat]

kalimera patrida

please post your configs used,
if you are using certificates you must keep in mind that EVERY certificate that is signed by your CA
WILL BE acceptable by openvpn itself.
also in your openvpn server the only files needed in order openvpn to work are:

ca.crt
dhxxxx.pem
server.crt
server.key
ta.key (if used)

NOTHING else...

Michael.

[georget]

Please see config below:

newvpn.ovpn

dev tun
client
proto udp
remote 192.168.1.21 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client1.crt
key client1.key
comp-lzo
verb 3

client1.conf

client
dev tun
proto udp
remote xx.xxx.xxx.199 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server

comp-lzo
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60

route-method exe
route-delay 2

client1.crt

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=SanFrancisco, O=CubeC, OU=changeme, CN=changeme/name=changeme/emailAddress=mail@host.domain
Validity
Not Before: Nov 23 19:12:19 2014 GMT
Not After : Nov 20 19:12:19 2024 GMT
Subject: C=US, ST=CA, L=SanFrancisco, O=CubeC, OU=changeme, CN=client1/name=changeme/emailAddress=mail@host.domain
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:a1:26:57:f0:5e:73:39:23:fb:e6:c1:52:98:fb:
cd:84:5e:b8:c6:cf:b0:fa:4b:07:f4:d2:d3:0a:50:
f5:8d:84:77:ff:1a:0c:77:ed:36:cb:2a:0c:2a:83:
36:a2:c6:2c:62:5d:f9:f4:86:12:4e:db:db:fd:d8:
6d:73:3a:32:24:a7:e3:7c:5b:8a:08:16:49:b4:b9:
47:75:41:6c:7c:47:8a:17:d4:bd:b4:9f:98:51:ca:
80:9c:99:59:17:81:68:a4:01:08:5b:9c:66:16:a0:
1d:bc:2f:92:ba:80:86:bf:a9:4c:52:68:82:ce:11:
a0:57:8c:c3:5d:cc:c8:3f:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
Easy-RSA Generated Certificate
X509v3 Subject Key Identifier:
05:1F:E4:25:37:8C:11:08:A7:86:16:B2:4B:9D:AF:3A:C9:8C:30:BA
X509v3 Authority Key Identifier:
keyid:EA:A3:03:1C:49:3F:E4:97:F5:D9:20:BD:99:5A:B2:B7:26:B5:A9:66
DirName:/C=US/ST=CA/L=SanFrancisco/O=CubeC/OU=changeme/CN=changeme/name=changeme/emailAddress=mail@host.domain
serial:D4:68:30:89:35:FD:BD:3D

X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha1WithRSAEncryption
3c:96:97:79a1:ac:ec:54:c0:15:80:62:04:2d:5e:24:34:
59:46:9a:18:8a:71:38:aa:e3:ca:69:57:e9:15:85:5b:4b:41:
f7:55:85:a184:63:2c:29:62:d4:98:90:d8:45:33:a4:33:
69:44:2c:06:b6:1e:08:41:cb:77:2b:3c:94:a4:db:a9:cc:99:
de:ff:5a:10:0b:63:6e:14:85:f2:53:4f:fc:2b:1a:42:22:25:
fc:96:b2:b9:27:ee:8b:1a:a4:3c:e7:2f:f1:77:23:e1:a7:fd:
e8:8b:3b:c6:f1:4b:43:45:41:5a:fd:32:d0:a9:2f:3c:31:b2:
45:6a
-----BEGIN CERTIFICATE-----
MIIEATCCA2qgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBmzELMAkGA1UEBhMCVVMx
CzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxTYW5GcmFuY2lzY28xDjAMBgNVBAoTBUN1
YmVDMREwDwYDVQQLEwhjaGFuZ2VtZTERMA8GA1UEAxMIY2hhbmdlbWUxETAPBgNV
BCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhvc3QuZG9tYWluMB4X
DTE0MTEyMzE5MTIxOVoXDTI0MTEyMDE5MTIxOVowgZoxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIEwJDQTEVMBMGA1UEBxMMU2FuRnJhbmNpc2NvMQ4wDAYDVQQKEwVDdWJl
QzERMA8GA1UECxMIY2hhbmdlbWUxEDAOBgNVBAMTB2NsaWVudDExETAPBgNVBCkT
CGNoYW5nZW1lMR8wHQYJKoZIhvcNAQkBFhBtYWlsQGhvc3QuZG9tYWluMIGfMA0G
CSqGSIb3DQEBAQUAA4GNADCBiQKBgQChJlfwXnM5I/vmwVKY+82EXrjGz7D6Swf0
0tMKUPWNhHf/Ggx37TbLKgwqgzaixixiXfn0hhJO29v92G1zOjIkp+N8W4oIFkm0
uUd1QWx8R4oX1L20n5hRyoCcmVkXgWikAQhbnGYWoB28L5K6gIa/qUxSaILOEaBX
jMNdzMg/EwIDAQABo4IBUjCCAU4wCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYe
RWFzeS1SU0EgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBQFH+QlN4wR
CKeGFrJLna86yYwwujCB0AYDVR0jBIHIMIHFgBTqowMcST/kl/XZIL2ZWrK3JrWp
ZqGBoaSBnjCBmzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRUwEwYDVQQHEwxT
YW5GcmFuY2lzY28xDjAMBgNVBAoTBUN1YmVDMREwDwYDVQQLEwhjaGFuZ2VtZTER
MA8GA1UEAxMIY2hhbmdlbWUxETAPBgNVBCkTCGNoYW5nZW1lMR8wHQYJKoZIhvcN
AQkBFhBtYWlsQGhvc3QuZG9tYWluggkA1GgwiTX9vT0wEwYDVR0lBAwwCgYIKwYB
BQUHAwIwCwYDVR0PBAQDAgeAMA0GCSqGSIb3DQEBBQUAA4GBADyWl3neoazsVMAV
gGIELV4kNFlGmhiKcTiq48ppV+kVhVtLQfdVhaGrhGMsKWLUmJDYRTOkM2lELAa2
HghBy3crPJSk26nMmd7/WhALY24UhfJTT/wrGkIiJfyWsrkn7osapDznL/F3I+Gn
/eiLO8bxS0NFQVr9MtCpLzwxskVq
-----END CERTIFICATE-----

Viscocity Logs that show info of first certificate

Nov 23 10:59:29: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=CY, ST=LI, L=Polemidia, O=Cubectrl, OU=changeme, CN=Cubectrl, name=changeme, emailAddress=gt@cxxxxxxxxx.com
Nov 23 10:59:29: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Nov 23 10:59:29: TLS Error: TLS object -> incoming plaintext read error
Nov 23 10:59:29: TLS Error: TLS handshake failed
Nov 23 10:59:29: SIGUSR1[soft,tls-error] received, process restarting
Nov 23 10:59:29: State changed to Connecting
Nov 23 10:59:32: State changed to Disconnecting
Nov 23 10:59:33: State changed to Disconnected

Thank u

[john56477]

For certs and keys, use inline feature, with certs and keys combined with config file.
on both client and server side.

These guides and tools might help

tool
https://github.com/mattock/mkinline

guide
http://tryapi.wordpress.com/2014/10/13/ ... -easyrsa3/

[maikcat]

are you from cyprus?

anyway,

did you configured both ends of openvpn?
do you use the SAME ca.crt for both ends?
can you also post server config?

Michael.

[georget]

Thank you John and Mike,

yes from Cyprus...I was sure that you were going to pick-up the CY

I will proceed tonight with John's suggestion for the upgrade...

yes, client1.ovpn was also set up for use with my iPhone since viscosity does not require one

client1.ovpn

client
dev tun
proto udp
remote xx.xxx.xxx.199 1194

resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client1.crt
key client1.key
ns-cert-type server

comp-lzo
verb 3
explicit-exit-notify 2
ping 10
ping-restart 60

route-method exe
route-delay 2

the following configurations were also added at server

iptables -t nat -A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.21

in regards to the ca.crt, yes I used cuteftp 9 to download the fresh ones from the server; this is why I cannot understand how my clients, both win pc and iphone are displaying information for a certificate that was created 1 week ago, and yet everything was deleted and formatted; are these certificated stored on-line somehow?

[maikcat]

2 things to checks:

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.1.21

is your server a VZ container?
in either case the above is possibly wrong...

also can you try to run to both server/client the following:

Code: Select all

openssl x509 -subject -noout -in ca.crt

Michael.

[georget]

Thank you, I will try; any clue though why the certificates from the past still appear?

[maikcat]

no,if openvpn is configured to read the correct certs there is nowhere that the certs are cached in any way..

Michael.

[georget]

Mike and John...THANK YOU, everything working now...

[maikcat]

just for the record...

what was the error?

Michael.

[georget]

really I don't know since initially I had it working and then after a reboot, it never worked again. Every time I was starting from scratch, including format, I had the problem that the 1st certificate would appear out of nowhere. Also this guy had the exact same problem with me: http://ubuntuforums.org/showthread.php?t=2099642

I don't know if itunes and sharing between devices has something to do with it.

I did follow the instrunctions that John posted and everything started working again.

Again thank you guys