PolarSSL : error parsing ca certficate

Post Reply
ggmpd
OpenVpn Newbie
Posts: 2
Joined: Mon Feb 25, 2013 12:24 am

PolarSSL : error parsing ca certficate

Post by ggmpd » Mon Feb 25, 2013 12:33 am

Following the instructions in the app help for OpenVPN Connect I've attempted to connect to my OpenVPN server but on importing the .ovpn file via Mail and adding it via the OpenVPN Connect app, I receive the following error:

OpenVPN error : PolarSSL : error parsing ca certificate : X509 - The certificate format is invalid, e.g. different type expected

The ca.crt is the one I've always used with my server - I exported it via mail in .PEM format and iOS successfully added it to my keychain (as well as the client key and cert which I sent as a PKCS12 file). All of the certificates and keys were built using the standard easy-rsa commands as described in the OpenVPN book (and have been working fine with Tunnelblick connections for months).

It seems to me that the error message could be a little more forthcoming as to what exactly it wants.

The iOS version is 6.1, the certificates were generated using easy-rsa (from OpenVPN 2.2.1) with OpenSSL 0.9.8r if that helps. The server is running on RedHat Enterprise Linux 5 update 9.

cabhay
OpenVpn Newbie
Posts: 6
Joined: Thu Feb 07, 2013 6:19 am

Re: PolarSSL : error parsing ca certficate

Post by cabhay » Mon Feb 25, 2013 3:11 pm

Hi ggmpd,

Does ca certificate has single certificate or chain of certificates? I am facing same issue on iOS. However, it works fine with OpenVPN Connect for android.

- Abhay

jamesyonan
OpenVPN Inc.
Posts: 169
Joined: Thu Jan 24, 2013 12:13 am

Re: PolarSSL : error parsing ca certficate

Post by jamesyonan » Mon Feb 25, 2013 5:24 pm

Try putting your CA certs into the profile. iOS has a known issue where if you import a PKCS#12 file into the iOS keychain, it drops all CA and intermediate certs and only retains the leaf cert and private key. So as a result, OpenVPN is unable to get CA certs from the keychain, so these certs must be in the profile.

henrybakker01
OpenVpn Newbie
Posts: 1
Joined: Thu Mar 07, 2013 3:59 pm

Re: PolarSSL : error parsing ca certficate

Post by henrybakker01 » Thu Mar 07, 2013 4:00 pm

I am facing the same problem. What do you exactly mean with "Try putting your CA certs into the profile."??

stekki
OpenVpn Newbie
Posts: 3
Joined: Thu Feb 07, 2013 2:42 pm

Re: PolarSSL : error parsing ca certficate

Post by stekki » Thu Mar 07, 2013 7:18 pm

henrybakker01 wrote:I am facing the same problem. What do you exactly mean with "Try putting your CA certs into the profile."??
you should copy the content of the crt key and ca files in the config file instead of copying into key chain.

bubbazanetti
OpenVpn Newbie
Posts: 2
Joined: Sat Mar 16, 2013 8:51 pm

Re: PolarSSL : error parsing ca certficate

Post by bubbazanetti » Sat Mar 16, 2013 9:00 pm

stekki wrote:
henrybakker01 wrote:I am facing the same problem. What do you exactly mean with "Try putting your CA certs into the profile."??
you should copy the content of the crt key and ca files in the config file instead of copying into key chain.

I am sorry, this doesn't make sense to me either.


My OpenVPN export is a zip file with a .p12 profile/certificate, and the .ovpn config file

When I load the .ovpn file it installs into OpenVPN as a Profile, but says external certificate profile

I open the .p12 file (in email) it asks if I want to install this profile, I install it. Then back in OpenVPN it has me select a certificate...I select the one that installed as a profile.

After that, you get the PolarSSL error.

None of that setup matches what you suggested.

Now are you suggesting that the .ovpn file gets edited, and the the certificate (I have IPcop, so it shows under info) about 50 lines of txt, gets pasted somewhere into the .ovpn file?

If so where?

Within the .ovpn file there is a line that directs it to the .p12 file...

Is there a reference on how to manually edit the ovpn file?

bubbazanetti
OpenVpn Newbie
Posts: 2
Joined: Sat Mar 16, 2013 8:51 pm

Re: PolarSSL : error parsing ca certficate

Post by bubbazanetti » Sat Mar 16, 2013 9:17 pm

https://community.openvpn.net/openvpn/wiki/IOSinline


Ok, found a reference about inserting CA key...can't test for a while.

Rgusnowski
OpenVpn Newbie
Posts: 3
Joined: Tue Jul 29, 2014 8:59 pm

Re: OpenVPN error : PolarSSL : error parsing ca certificate

Post by Rgusnowski » Tue Jul 29, 2014 9:09 pm

Hi

I am having the same problem with my iPad. OpenVPN is working fine on my Mac, PC, and Android, but on IOS I am getting the error: "OpenVPN error : PolarSSL : error parsing ca certificate : X509 - The certificate format is invalid, e.g. different type expected".

My config file looks like:

client
dev tun
proto udp
remote xxx.host.net 443
float
comp-lzo no
keepalive 15 60
auth-user-pass
ns-cert-type server
<ca>
-----BEGIN CERTIFICATE-----
REDACTEDAp2gAwIBAgIJAMbTH300dCrMMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
BAYTAlRXMQswCQYDVQQIEwJUVzEPMA0GA1UEBxMGVGFpcGVpMQ0wCwYDVQQKEwRB
U1VTMREwDwYDVQQDEwhSVC1BQzY2VTEhMB8GCSqGSIb3DQEJARYSbWVAbXlob3N0
Lm15ZG9tYWluMB4XDTE0MDcwNzA0MDgwM1oXDTI0MDcwNDA0MDgwM1owcDELMAkG
A1UEBhMCVFcxCzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxDTALBgNVBAoT
BEFTVVMxETAPBgNVBAMTCFJULUFDNjZVMSEwHwYJKoZIhvcNAQkBFhJtZUBteWhv
c3QubXlkb21haW4wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANVewAMtPdpn
REDACTED
-----END CERTIFICATE-----
</ca>
<cert>
paste client certificate data here
</cert>
<key>
paste client key data here
</key>
resolv-retry infinite
nobind


I had a look at https://community.openvpn.net/openvpn/wiki/IOSinline but I am not recognizing what is missing.

My iPad is running IOS 7.1.2, and I am using the newest OpenVPN client from the App Store. If anyone can help me resolve this issue it would be greatly appreciated.

Thanks

Robert

Post Reply