Issues using 3rd Party CA (GoDaddy)

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
KernelSanders
OpenVpn Newbie
Posts: 2
Joined: Sat Aug 23, 2014 3:31 pm

Issues using 3rd Party CA (GoDaddy)

Post by KernelSanders » Sat Aug 23, 2014 4:03 pm

I'm trying to setup OpenVPN using a wildcard certificate signed by GoDaddy for the CA instead of building a self-signed CA. There are many examples on the web of setting up OpenVPN using a self-signed CA but the only example I could find using an existing CA is http://www.linuxlasse.net/linux/howtos/OpenVPN. Following that guide, I place my signed wildcard cert and key in the keys directory as ca.crt and ca.key, respectively. I verified they match using:

Code: Select all

openssl x509 -noout -modulus -in ca.crt | openssl md5
and

Code: Select all

openssl rsa -noout -modulus -in ca.key | openssl md5
Then I ran "./build-key-server server" but I cannot verify the server.crt file it creates with my ca.crt.

Code: Select all

openssl verify -CAfile keys/ca.crt  keys/server.crt 
keys/server.crt: C = US, ST = VA, L = city, O = company, OU = VPN, CN = server
error 20 at 0 depth lookup:unable to get local issuer certificate
Not surprisingly, I cannot connect a client. When I attempt to do so I get these errors:

Code: Select all

VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=US/ST=VA/L=city/O=company/OU=VPN/CN=server
TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
TCP/UDP: Closing socket
When I use ./build-ca to generate a self-signed cert then I can verify the server.crt using ca.crt of course.

Am I missing something? I have read forum posts of other people using 3rd party signed certs for OpenVPN and the instructions on linuxlasse.net suggest it should be as simple as placing my ca.crt and ca.key the keys directory like I am doing. So why can I not verify my server.crt?
Top
User avatar
maikcat
Forum Team
Posts: 4200
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:
Contact maikcat

Re: Issues using 3rd Party CA (GoDaddy)

Post by maikcat » Mon Aug 25, 2014 6:43 am

can you post the complete output when issuing the build-key-server server command?

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"
Top
KernelSanders
OpenVpn Newbie
Posts: 2
Joined: Sat Aug 23, 2014 3:31 pm

Re: Issues using 3rd Party CA (GoDaddy)

Post by KernelSanders » Mon Aug 25, 2014 4:56 pm

Here is the output of ./build-key-server, I ran it on a new box with the default settings in vars this time. I don't see anything in the output that suggests anything is wrong which is why I didn't include the output in the original post.

Code: Select all

./build-key-server server
Generating a 2048 bit RSA private key
.......+++
.............................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [US]:
State or Province Name (full name) [CA]:
Locality Name (eg, city) [SanFrancisco]:
Organization Name (eg, company) [Fort-Funston]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [server]:
Name [EasyRSA]:
Email Address [me@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'US'
stateOrProvinceName   :PRINTABLE:'CA'
localityName          :PRINTABLE:'SanFrancisco'
organizationName      :PRINTABLE:'Fort-Funston'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'server'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'me@myhost.mydomain'
Certificate is to be certified until Aug 22 16:52:38 2024 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

openssl verify -CAfile keys/ca.crt  keys/server.crt 
keys/server.crt: C = US, ST = CA, L = SanFrancisco, O = Fort-Funston, OU = MyOrganizationalUnit, CN = server, name = EasyRSA, emailAddress = me@myhost.mydomain
error 20 at 0 depth lookup:unable to get local issuer certificate
Top
rchannel
OpenVpn Newbie
Posts: 1
Joined: Wed Feb 18, 2015 9:59 pm

Re: Issues using 3rd Party CA (GoDaddy)

Post by rchannel » Wed Feb 18, 2015 9:59 pm

Did you ever find a solution to this? I am running into the same issues.
Top
Post Reply

Return to “Cert / Config management”