unkown CA
Posted: Wed Apr 24, 2013 1:01 pm
Hi,
I'm trying to setup openvpn between the following networks
VPC_A (10.50.0.0/16) <> VPC_B (10.60.0.0/16)
Tunnel established from VPC_B > VPC_A without any problem, I can ping the 10.50.0.0 network.
With the exact same configuration but with just KEY_ORG in vars different I get this in the client side log file:
Wed Apr 24 12:49:48 2013 us=326081 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=MT/ST=MT/L=MSIDA/O=vpcbf735ed7/OU=changeme/CN=changeme/name=changeme/emailAddress=xxxxx@xxxxxxx.com
Wed Apr 24 12:49:48 2013 us=326202 SSL alert (write): fatal: unknown CA
Wed Apr 24 12:49:48 2013 us=326343 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
and I obviously cannot ping the 10.60.0.0/16 network.
I verified that connections are indeed being received by using tcpdump so its not a connectivity issue and I'm sure I copied the right certificates for the client.
server.conf
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/openvpn-server.crt
key keys/openvpn-server.key
dh keys/dh1024.pem
server 172.16.2.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.60.0.0 255.255.0.0"
keepalive 3 10
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn-server.log
verb 6
client.conf
client
dev tun
proto udp
remote 54.246.135.3 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca client/ca.crt
cert client/openvpn-client.crt
key client/openvpn-client.key
remote-cert-tls server
comp-lzo
verb 10
keepalive 3 10
log-append /var/log/openvpn-client.log
Tried removing remote-cert-tls server from the client side with the same result.
Iptables
[root@ip-10-60-1-254 openvpn]# more /etc/sysconfig/iptables
# Generated by iptables-save v1.4.18 on Wed Apr 24 12:30:22 2013
*nat
REROUTING ACCEPT [7:294]
:INPUT ACCEPT [7:294]
:OUTPUT ACCEPT [1:76]
OSTROUTING ACCEPT [0:0]
-A POSTROUTING -o tun+ -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
I'm trying to setup openvpn between the following networks
VPC_A (10.50.0.0/16) <> VPC_B (10.60.0.0/16)
Tunnel established from VPC_B > VPC_A without any problem, I can ping the 10.50.0.0 network.
With the exact same configuration but with just KEY_ORG in vars different I get this in the client side log file:
Wed Apr 24 12:49:48 2013 us=326081 VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: /C=MT/ST=MT/L=MSIDA/O=vpcbf735ed7/OU=changeme/CN=changeme/name=changeme/emailAddress=xxxxx@xxxxxxx.com
Wed Apr 24 12:49:48 2013 us=326202 SSL alert (write): fatal: unknown CA
Wed Apr 24 12:49:48 2013 us=326343 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
and I obviously cannot ping the 10.60.0.0/16 network.
I verified that connections are indeed being received by using tcpdump so its not a connectivity issue and I'm sure I copied the right certificates for the client.
server.conf
port 1194
proto udp
dev tun
ca keys/ca.crt
cert keys/openvpn-server.crt
key keys/openvpn-server.key
dh keys/dh1024.pem
server 172.16.2.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.60.0.0 255.255.0.0"
keepalive 3 10
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn-server.log
verb 6
client.conf
client
dev tun
proto udp
remote 54.246.135.3 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca client/ca.crt
cert client/openvpn-client.crt
key client/openvpn-client.key
remote-cert-tls server
comp-lzo
verb 10
keepalive 3 10
log-append /var/log/openvpn-client.log
Tried removing remote-cert-tls server from the client side with the same result.
Iptables
[root@ip-10-60-1-254 openvpn]# more /etc/sysconfig/iptables
# Generated by iptables-save v1.4.18 on Wed Apr 24 12:30:22 2013
*nat
REROUTING ACCEPT [7:294]:INPUT ACCEPT [7:294]
:OUTPUT ACCEPT [1:76]
OSTROUTING ACCEPT [0:0]-A POSTROUTING -o tun+ -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT