Self signed certificate error

[menganito]

Hello,

I would like to ask you for help with troubleshooting my connection problems. I found similar threads in this forum, but nothing in them helped. My issue folows:

I have a VPN out of one server (dd wrt router, configured using the webgui), two clients, both 64bit PCs. One of the clients can connect without any issues, however, the other one cannot.
When building the VPN, I created CA, server and client certs on the same machine, the client that now works. I followed this howto: https://openvpn.net/index.php/open-sour ... howto.html.

The client that cannot connect has this in the log:

Code: Select all

Dec  4 12:42:09 fractal ovpn-client[19365]: OpenVPN 2.3.4 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec  1 2014
Dec  4 12:42:09 fractal ovpn-client[19365]: library versions: OpenSSL 1.0.1j 15 Oct 2014, LZO 2.06
Dec  4 12:42:09 fractal ovpn-client[19365]: Socket Buffers: R=[212992->131072] S=[212992->131072]
Dec  4 12:42:09 fractal ovpn-client[19366]: UDPv4 link local: [undef]
Dec  4 12:42:09 fractal ovpn-client[19366]: UDPv4 link remote: [AF_INET]192.168.1.1:1194
Dec  4 12:42:09 fractal ovpn-client[19366]: TLS: Initial packet from [AF_INET]192.168.1.1:1194, sid=ba92916c e38120d2
Dec  4 12:42:10 fractal ovpn-client[19366]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=SK, ST=KE, L=Kosice, O=noorg, OU=noou, CN=noorg CA, name=EasyRSA, emailAddress=removed
Dec  4 12:42:10 fractal ovpn-client[19366]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Dec  4 12:42:10 fractal ovpn-client[19366]: TLS Error: TLS object -> incoming plaintext read error
Dec  4 12:42:10 fractal ovpn-client[19366]: TLS Error: TLS handshake failed
Dec  4 12:42:10 fractal ovpn-client[19366]: SIGUSR1[soft,tls-error] received, process restarting
Dec  4 12:42:10 fractal ovpn-client[19366]: Restart pause, 2 second(s)
Dec  4 12:42:12 fractal ovpn-client[19366]: Socket Buffers: R=[212992->131072] S=[212992->131072]
Dec  4 12:42:12 fractal ovpn-client[19366]: UDPv4 link local: [undef]
Dec  4 12:42:12 fractal ovpn-client[19366]: UDPv4 link remote: [AF_INET]192.168.1.1:1194
Dec  4 12:42:12 fractal ovpn-client[19366]: TLS: Initial packet from [AF_INET]192.168.1.1:1194, sid=13c4f500 80d0bc6b
Dec  4 12:42:12 fractal ovpn-client[19366]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=SK, ST=KE, L=Kosice, O=noorg, OU=noou, CN=noorg CA, name=EasyRSA, emailAddress=removed
Dec  4 12:42:12 fractal ovpn-client[19366]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Dec  4 12:42:12 fractal ovpn-client[19366]: TLS Error: TLS object -> incoming plaintext read error
Dec  4 12:42:12 fractal ovpn-client[19366]: TLS Error: TLS handshake failed
Dec  4 12:42:12 fractal ovpn-client[19366]: SIGUSR1[soft,tls-error] received, process restarting
Dec  4 12:42:12 fractal ovpn-client[19366]: Restart pause, 2 second(s)
Dec  4 12:42:14 fractal ovpn-client[19366]: Socket Buffers: R=[212992->131072] S=[212992->131072]
Dec  4 12:42:14 fractal ovpn-client[19366]: UDPv4 link local: [undef]
Dec  4 12:42:14 fractal ovpn-client[19366]: UDPv4 link remote: [AF_INET]192.168.1.1:1194
Dec  4 12:42:14 fractal ovpn-client[19366]: TLS: Initial packet from [AF_INET]192.168.1.1:1194, sid=c080e95b 018317be
Dec  4 12:42:15 fractal ovpn-client[19366]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=SK, ST=KE, L=Kosice, O=noorg, OU=noou, CN=noorg CA, name=EasyRSA, emailAddress=removed
Dec  4 12:42:15 fractal ovpn-client[19366]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Dec  4 12:42:15 fractal ovpn-client[19366]: TLS Error: TLS object -> incoming plaintext read error
Dec  4 12:42:15 fractal ovpn-client[19366]: TLS Error: TLS handshake failed
Dec  4 12:42:15 fractal ovpn-client[19366]: SIGUSR1[soft,tls-error] received, process restarting
Dec  4 12:42:15 fractal ovpn-client[19366]: Restart pause, 2 second(s)
Dec  4 12:42:17 fractal ovpn-client[19366]: Socket Buffers: R=[212992->131072] S=[212992->131072]
Dec  4 12:42:17 fractal ovpn-client[19366]: UDPv4 link local: [undef]
Dec  4 12:42:17 fractal ovpn-client[19366]: UDPv4 link remote: [AF_INET]192.168.1.1:1194
Dec  4 12:42:17 fractal ovpn-client[19366]: TLS: Initial packet from [AF_INET]192.168.1.1:1194, sid=39ebfd7f e5885ac1
Dec  4 12:42:17 fractal ovpn-client[19366]: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: C=SK, ST=KE, L=Kosice, O=noorg, OU=noou, CN=noorg CA, name=EasyRSA, emailAddress=removed
Dec  4 12:42:17 fractal ovpn-client[19366]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Dec  4 12:42:17 fractal ovpn-client[19366]: TLS Error: TLS object -> incoming plaintext read error
Dec  4 12:42:17 fractal ovpn-client[19366]: TLS Error: TLS handshake failed
Dec  4 12:42:17 fractal ovpn-client[19366]: SIGUSR1[soft,tls-error] received, process restarting
Dec  4 12:42:17 fractal ovpn-client[19366]: Restart pause, 2 second(s)

etc, until SIGTERM.

I cannot find the log on server.

client.conf on the broken client:

Code: Select all

client
;dev tap
dev tun
;dev-node MyTap
;proto tcp
proto udp
remote 192.168.1.1 1194
;remote-random
resolv-retry infinite
nobind
;user nobody
;group nogroup
persist-key
persist-tun
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
ca /etc/openvpn/keys/fractal.crt
cert /etc/openvpn/keys/fractal1.crt
key /etc/openvpn/keys/fractal1.key
ns-cert-type server
;tls-auth ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3
;mute 20
auth MD5
tun-mtu 1500

server's openvpn.conf:

Code: Select all

dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
keepalive 10 120
verb 3
mute 3
syslog
writepid /var/run/openvpnd.pid
management 127.0.0.1 14
management-log-cache 100
topology subnet
script-security 2
port 1194
proto udp
cipher aes-256-cbc
auth md5
client-config-dir /tmp/openvpn/ccd
comp-lzo adaptive
tls-server
ifconfig-pool-persist /tmp/openvpn/ip-pool 86400
client-to-client
fast-io
tun-mtu 1400
mtu-disc yes
server 10.8.0.0 255.255.255.0
dev tun2
tun-ipv6

Perhaps this might be useful for troubleshooting:

Code: Select all

openssl x509 -subject -issuer -noout -in keys/fractal1.crt 
subject= /C=SK/ST=KE/L=Kosice/O=noorg/OU=noou/CN=fractal1/name=EasyRSA/emailAddress=igor.kysel@centrum.sk
issuer= /C=SK/ST=KE/L=Kosice/O=noorg/OU=noou/CN=noorg CA/name=EasyRSA/emailAddress=igor.kysel@centrum.sk

Of note is I have different openvpn versions on both clients, the working one has 2.3.2-9, the broken one 2.3.4-5. I don't know the server version.

I am sure the ca.crt is the same on both clients and server, I am sure the fractal1.crt verifies OK against the CA. As far as I understand, the only really self signed cert is the ca.crt. Can this be a problem? How can I avoid or circumvent it? Why does it pop out on one client only?

[maikcat]

is fractal.crt and ca.crt the same file?

Michael.

[menganito]

Hello,

yes, this was indeed the error, I told Openvpn to look for CA and client cert in the same file.
Also, sorry for not updating this thread, I didn't even know it was posted, I couldn't see it among my posts.