Error rendering cert

pkfox · Post by **pkfox** » Thu Jan 29, 2015 5:51 pm

Hi all, I know its been asked before but has anyone come up with a fix for this error, I only see it in the logs of Android clients so think its specific to Android. I use the same ovpn file in windows and iPhone clients and all is fine. If you do away with ta.key and tsl-auth it goes away but then its less secure. Hope this makes sense. Everything works OK but I would like to know how secure I am ( or not ).

Traffic · Post by **Traffic** » Thu Jan 29, 2015 6:52 pm

Using --tls-auth is strongly recommended .. running without it to fix an error is not a suitable solution.

I believe you need to import your client file for android with inline cert/keys using unix style newline
not windows CR-LF ..

pkfox · Post by **pkfox** » Fri Jan 30, 2015 8:09 am

Traffic wrote:Using --tls-auth is strongly recommended .. running without it to fix an error is not a suitable solution.

Hi , I would never run it without tsl I just read somewhere that the error goes away if you remove it.

I believe you need to import your client file for android with inline cert/keys using unix style newline
not windows CR-LF

My client file was created in Linux with all the keys in the ovpn, I've also tried referencing the ta.key file from the ovpn but still the error is there

Traffic · Post by **Traffic** » Fri Jan 30, 2015 11:19 am

pkfox wrote:My client file was created in Linux with all the keys in the ovpn, I've also tried referencing the ta.key file from the ovpn but still the error is there

Please post configs and logs .. perhaps we can identify the problem.

pkfox · Post by **pkfox** » Fri Jan 30, 2015 11:40 am

Here is server.conf

Code: Select all

local 10.10.1.8 # openvpn server
dev tun 
proto udp 
port 1194 
ca /etc/openvpn/easy-rsa/keys/ca.crt 
cert /etc/openvpn/easy-rsa/keys/pivpn.crt 
key /etc/openvpn/easy-rsa/keys/pivpn.key 
dh /etc/openvpn/easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0 
# server and remote endpoints 
ifconfig 10.8.0.1 10.8.0.2 
push "route 10.8.0.0 255.255.255.0" 
# your local subnet 
push "route 10.10.1.0 255.255.255.0" 
push "dhcp-option DNS 194.168.4.100" 
push "redirect-gateway def1" 
client-to-client 
duplicate-cn 
keepalive 10 120 
tls-auth /etc/openvpn/easy-rsa/keys/ta.key 0 
cipher AES-128-CBC 
comp-lzo 
user nobody 
group nogroup 
persist-key 
persist-tun 
status /var/log/openvpn/openvpn-status.log 20 
log /var/log/openvpn/openvpn.log 
verb 1

and my opvn

Code: Select all

client 
dev tun 
proto udp 
remote myDNSName here 1194 
resolv-retry infinite 
nobind 
persist-key 
persist-tun 
mute-replay-warnings 
ns-cert-type server 
key-direction 1 
cipher AES-128-CBC 
comp-lzo 
verb 1 
mute 20 

<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
</key>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-auth>

Hope this helps

Traffic · Post by **Traffic** » Fri Jan 30, 2015 12:06 pm

What does your client log show .. please use verb 4 in your client.

Probably not a good idea to post entire PKI details ..
*** Perhaps a MODERATOR can obfuscate your post a little ***

pkfox · Post by **pkfox** » Sat Jan 31, 2015 8:26 am

Traffic wrote:What does your client log show .. please use verb 4 in your client.

Can't find a log file on the client , you can only view it via the app and there's no way of copying it to the clipboard.

Probably not a good idea to post entire PKI details ..
*** Perhaps a MODERATOR can obfuscate your post a little ***

OpenVPN Support Forum

Error rendering cert

Error rendering cert

Re: Error rendering cert

Re: Error rendering cert

Re: Error rendering cert

Re: Error rendering cert

Re: Error rendering cert

Re: Error rendering cert