[Solved] Certificate problem with client config on Rapsberry Pi and Win10

Scripts to manage certificates or generate config files
Locked
Pro1712
OpenVpn Newbie
Posts: 5
Joined: Wed Feb 20, 2013 2:09 pm

[Solved] Certificate problem with client config on Rapsberry Pi and Win10

Post by Pro1712 » Mon Jan 07, 2019 1:48 pm

Hello!

I have my server running on Raspberry Pi with this config:

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
pkcs12 server.p12
dh dh2048.pem
topology subnet
push "topology subnet"
mode server
tls-server
ifconfig 192.168.12.1 255.255.255.0
ifconfig-pool 192.168.12.50 192.168.12.100
push "route 192.168.5.0 255.255.255.0"
push "route-gateway 192.168.12.1"
client-to-client
keepalive 10 60
remote-cert-tls client
tls-auth ta.key 0
key-direction 0
cipher AES-256-CBC
auth SHA256
compress lz4-v2
push "compress lz4-v2"
max-clients 10
user nobody
ping-timer-rem
persist-key
persist-tun
push "ping-timer-rem"
push "persist-tun"
push "persist-key"
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 3
mute 50
explicit-exit-notify 1
This is my client config:

Code: Select all

remote vpn.server.com
port 1194
client
dev tun
proto udp
resolv-retry infinite
nobind
ca ca.crt
pkcs12 client.p12
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
status /var/log/openvpn/openvpn.log
log /var/log/openvpn/openvpn.log
verb 3
auth-nocache
askpass pass
The config runs without any problems on Windows 10.

On Raspberry Pi I get this error:

Code: Select all

OpenVPN 2.4.0 arm-unknown-linux-gnueabihf [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Jul 18 2017
library versions: OpenSSL 1.0.2q  20 Nov 2018, LZO 2.08
Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
TCP/UDP: Preserving recently used remote address: [AF_INET]xxx.xxx.xxx.xxx:1194
Socket Buffers: R=[163840->163840] S=[163840->163840]
UDP link local: (not bound)
UDP link remote: [AF_INET]xxx.xxx.xxx.xxx:1194
TLS: Initial packet from [AF_INET]xxx.xxx.xxx.xxx:1194, sid=f4abc124 20ef06c0
VERIFY OK: depth=1, C=xx, O=xx, CN=xx
Validating certificate key usage
++ Certificate has key usage  00a8, expects 00a0
++ Certificate has key usage  00a8, expects 0088
VERIFY KU ERROR
OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
TLS_ERROR: BIO read tls_read_plaintext error
TLS Error: TLS object -> incoming plaintext read error
TLS Error: TLS handshake failed
SIGUSR1[soft,tls-error] received, process restarting
Restart pause, 5 second(s)
SIGTERM[hard,init_instance] received, process exiting
Is there any difference running a config on Raspberry and Windows 10?

As I understand, the client is checking if the certificate has the flags 00a0 (KU_DIGITAL_SIGNATURE, KU_KEY_ENCIPHERMENT).
It finds out that the certificate has the flags 00a8 (KU_DIGITAL_SIGNATURE, KU_KEY_ENCIPHERMENT, KU_KEY_AGREEMENT).
But 00a8 contains 00a0? So what's the problem???

Can anyone help me?
Thanks :-)

Best regards,
Pro1712

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5255
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate problem with client config on Rapsberry Pi and Win10

Post by TinCanTech » Mon Jan 07, 2019 7:15 pm

How did you create your certificates ?

viewtopic.php?f=30&t=22603

Pro1712
OpenVpn Newbie
Posts: 5
Joined: Wed Feb 20, 2013 2:09 pm

Re: Certificate problem with client config on Rapsberry Pi and Win10

Post by Pro1712 » Tue Jan 08, 2019 9:50 am

I create the certificates with XCA
https://www.hohnstaedt.de/xca/


My certificates have these usage keys:

ca:
Certificate Sign, CRL Sign

server:
TLS Web Server Authentication, Digital Signature, Key Agreement, Key Encipherment

client:
TLS Web Client Authentication, Digital Signature, Key Agreement

Thanks :-)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5255
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate problem with client config on Rapsberry Pi and Win10

Post by TinCanTech » Tue Jan 08, 2019 1:09 pm

Do you use LibreSSL ?

Pro1712
OpenVpn Newbie
Posts: 5
Joined: Wed Feb 20, 2013 2:09 pm

Re: Certificate problem with client config on Rapsberry Pi and Win10

Post by Pro1712 » Tue Jan 08, 2019 3:22 pm

I used this to install OpenVPN on the Raspberry Pi client:

Code: Select all

sudo apt-get install -y openvpn openssl
This version is installed:
openssl 1.1.0j-1~deb9u1

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5255
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate problem with client config on Rapsberry Pi and Win10

Post by TinCanTech » Tue Jan 08, 2019 5:03 pm

Pro1712 wrote:
Tue Jan 08, 2019 9:50 am
I create the certificates with XCA
I suspect you have created your certificates in a way that is not compatible with openvpn.

Please use Easyrsa:
https://github.com/OpenVPN/easy-rsa/releases

Pro1712
OpenVpn Newbie
Posts: 5
Joined: Wed Feb 20, 2013 2:09 pm

Re: Certificate problem with client config on Rapsberry Pi and Win10

Post by Pro1712 » Wed Jan 09, 2019 9:32 am

As I wrote in my first post, the certificates work on Win10 but they don't work on Raspbery Pi.
Is there any difference in the implementation of OpenVPN on these 2 platforms?

On Win10 version 2.4.6 is installed, on Raspberry Pi openvpn 2.4.0-6+deb9u2.
Could this be the problem?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5255
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate problem with client config on Rapsberry Pi and Win10

Post by TinCanTech » Wed Jan 09, 2019 1:55 pm

Pro1712 wrote:
Wed Jan 09, 2019 9:32 am
As I wrote in my first post, the certificates work on Win10 but they don't work on Raspbery Pi.
Is there any difference in the implementation of OpenVPN on these 2 platforms?
No .. they are based on the exact same code base.

The fact remains that you have used unsupported software (XCA) to create your certificates.

Pro1712
OpenVpn Newbie
Posts: 5
Joined: Wed Feb 20, 2013 2:09 pm

Re: Certificate problem with client config on Rapsberry Pi and Win10

Post by Pro1712 » Tue Jan 22, 2019 2:53 pm

I've created new certificates using easy-rsa.
Now it works :-)
Thanks for your help!

Locked