OpenVPN with official certificates

[zepouletto]

Hi all,

First of all, happy new year, wishing you as less bugs as possible for 2015 !

I decided to post here because I couldn't find an answer to my problem anywhere.
I would like to use an official certificate for all the services I host on my server, therefore I bought a wildcart from SSLS (comodo). It is working fine with all service but I can't run my ovpn server correctly with it.

I do have:
The certificate of the CA [ca.crt] (wich is a pem of SSLS and comodo certificates)
The private server key [server.key]
The server certificate [server.crt]
All are signed and valid !

I then generate a diffie hellman:
./build-dh keys/dh2048.pem

And the secret key for the SSL/TLS exchange:
openvpn --genkey --secret keys/ta.key

To me following configuration should be correct:

In server.conf file I have following content:

Code: Select all

# Interface options
dev tun
proto udp

# We mount the tunnel via this local L.L.L.L
local L.L.L.L

# Server should listen on port
port 1194

# The openvpn tunnel IP network (usually the server takes the first IP of the range hereunder and the clients the other IPs):
server 10.111.0.0 255.255.0.0

# Store couple client/IP for persistency
ifconfig-pool-persist ipp.txt

# The configuration that will be pushed to clients
# The default gw
push "redirect-gateway def1 bypass-dhcp"

# Route this network through server
push "route 10.111.0.0 255.255.0.0"

# DNS options
push "dhcp-option DNS 8.8.8.8"

# Allow different VPN clients to communicate together
client-to-client

# TLS mode enabled
tls-server

# Diffie-Hellman
dh keys/dh2048.pem

# Certificate Authority file
ca keys/ca.crt

# Server certificate
cert keys/server.crt

# Server private key
key keys/server.key

# TLS ta key (0 stand for server)
tls-auth keys/ta.key 0

# Persistent tunnel and key
persist-tun
persist-key

# Openvpn daemon user
user openvpn
group openvpn

# Watchdog of the VPN (ping every 10sec, if no response after 120sec assume peer as down)
keepalive 10 120

# Maximum number of authorized clients
max-clients 100
# Enables lzo compression
;comp-lzo

# Logging
status /var/log/openvpn-status.log
log /var/log/openvpn.log

# Log verbosity level
verb 3

# LDAP connector
username-as-common-name
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf

The server starts correctly and there are no errors in the log files...


But when I want to generate cert & key couple for a client with pkitool, I have following error:

Code: Select all

pkitool: Need a readable ca.crt and ca.key in /etc/openvpn/key-generator/keys
Try pkitool --initca to build a root certificate/key.

Which is normal as I will never have the ca.key of comodo (at least I hope not)

In this case what is the best to do ? Use my own server.key and server.crt as CA (ca.crt and ca.key) ?
But then, how do I generate a new key and cert couple signed by those ?

If you have any idea about the way to do this right, it will be a pleasure to try it out !

[maikcat]

just curious, why your certs need to be signed by comodo anyway?

Michael.

[zepouletto]

Hi Maikcat (or Kalimera),

As I do have several servers with each a lot of services, I want to avoid having to manage multiple certs/keys for each server, at the end it would give to much certificates to manage..

Have you any idea about how to setup this up ?
I will give it another try (different configuration) and show you another type of error...

Thanks

[zepouletto]

Hi Michael (or Kalimera),

As I have several servers with numerous services on each, I would all services (per server) to use the same cert/key, it avoids me having to manage too much cert/key files.
And by the way, self-signed certificates... That's not the best for security

Hereunder is another try with a different configuration...

I use the comodo certificate as [ca.pem]
My private key as [ca.key]
And my certificate as [ca.crt]
Which makes me (my server key and cert) become the certification authority

Code: Select all

# Certificate Authority file
ca keys/ca.pem

# Server certificate
cert keys/ca.crt

# Server private key
key keys/ca.key

For sure, server still works as I just changed names of files.
But now, I can generate a client key/cert couple:

Code: Select all

./pkitool jean.paul
Generating a 2048 bit RSA private key
.+++
...+++
writing new private key to 'jean.paul.key'
-----
Using configuration from /etc/openvpn/key-generator/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'XXX'
stateOrProvinceName   :PRINTABLE:'XXX'
localityName          :PRINTABLE:'XXX'
organizationName      :PRINTABLE:'XXX'
commonName            :PRINTABLE:'XXX'
Certificate is to be certified until Jan  3 05:51:02 2025 GMT (3650 days)

Write out database with 1 new entries
Data Base Updated

From there I generate client configuration with inline keys/certs:

Code: Select all

# Openvpn mode
client

# Interface options
dev tun
proto udp

# VPN server address
remote S.S.S.S 1194

# Number of attempts
resolv-retry infinite

# Dynamically assigned ports
nobind

# Local user, you should create and use another user
;user nobody
;group nogroup

# Persistence of some resources
persist-key
persist-tun

# Authentication
auth-user-pass

mute-replay-warnings

# Keys and certificates

# CA cert
<ca>
-----BEGIN CERTIFICATE-----
AAA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
BBB
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
CCC
-----END CERTIFICATE-----
</ca>

# Client cert <clientName.clientSurname>.crt
<cert>
-----BEGIN CERTIFICATE-----
XXX
-----END CERTIFICATE-----
</cert>

# Client key <clientName.clientSurname>.key
<key>
-----BEGIN PRIVATE KEY-----
XXX
-----END PRIVATE KEY-----
</key>

# Use TLS authentication
#tls-auth ta.key 1
key-direction 1
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
TTT
-----END OpenVPN Static key V1-----
</tls-auth>

# Get security script from server
;script-security 2

# Push DNS option from server
;up /etc/openvpn/update-resolv-conf
;down /etc/openvpn/update-resolv-conf

# Daemonized client (or not)
;daemon

# Log verbosity
verb 3

I can't connect to server and there is following information in client logs:

Code: Select all

12:11:33 2015 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Jun  5 2014
12:11:33 2015 library versions: OpenSSL 1.0.1h 5 Jun 2014, LZO 2.05
Enter Management Password:
12:11:33 2015 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25340
12:11:33 2015 Need hold release from management interface, waiting...
12:11:34 2015 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25340
12:11:34 2015 MANAGEMENT: CMD 'state on'
12:11:34 2015 MANAGEMENT: CMD 'log all on'
12:11:34 2015 MANAGEMENT: CMD 'hold off'
12:11:34 2015 MANAGEMENT: CMD 'hold release'
12:11:43 2015 MANAGEMENT: CMD 'username "Auth" "jean.paul"'
12:11:43 2015 MANAGEMENT: CMD 'password [...]'
12:11:43 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
12:11:43 2015 Control Channel Authentication: tls-auth using INLINE static key file
12:11:43 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
12:11:43 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
12:11:43 2015 Socket Buffers: R=[8192->8192] S=[8192->8192]
12:11:43 2015 UDPv4 link local: [undef]
12:11:43 2015 UDPv4 link remote: [AF_INET]S.S.S.S:1194
12:11:43 2015 MANAGEMENT: >STATE:1420531903,WAIT,,,
12:11:43 2015 MANAGEMENT: >STATE:1420531903,AUTH,,,
12:11:43 2015 TLS: Initial packet from [AF_INET]S.S.S.S:1194, sid=c8e7036e 689e2f2b
12:11:43 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
12:11:46 2015 VERIFY OK: depth=3, C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
12:11:46 2015 VERIFY OK: depth=2, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Certification Authority
12:11:46 2015 VERIFY OK: depth=1, C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
12:11:46 2015 VERIFY OK: depth=0, OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.myDomain.com
12:12:43 2015 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
12:12:43 2015 TLS Error: TLS handshake failed
12:12:43 2015 SIGUSR1[soft,tls-error] received, process restarting
12:12:43 2015 MANAGEMENT: >STATE:1420531963,RECONNECTING,tls-error,,
12:12:43 2015 Restart pause, 2 second(s)

There seems to be a timeout during TLS negociation...
So I went to server logs I found that server is blocking as it doesn't receive the "local issuer certificate"... What does this mean ?
I fear that it comes from the fact that the CA.crt is constitued of several certificates.

Code: Select all

09:11:18 2015 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Dec  1 2014 09:11:18 2015 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
09:11:18 2015 PLUGIN_INIT: POST /usr/lib/openvpn/openvpn-auth-ldap.so '[/usr/lib/openvpn/openvpn-auth-ldap.so] [/etc/openvpn/auth/auth-ldap.conf]' intercepted=PLUGIN_AUTH_USER_PASS_VERIFY|PLUGIN_CLIENT_CONNECT|PLUGIN_CLIENT_DISCONNECT
09:11:18 2015 Diffie-Hellman initialized with 2048 bit key
09:11:18 2015 Control Channel Authentication: using '/keys/ta.key' as a OpenVPN static key file
09:11:18 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
09:11:18 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
09:11:18 2015 TLS-Auth MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
09:11:18 2015 Socket Buffers: R=[229376->131072] S=[229376->131072]
09:11:18 2015 ROUTE default_gateway=G.G.G.G
09:11:18 2015 TUN/TAP device tun0 opened
09:11:18 2015 TUN/TAP TX queue length set to 100
09:11:18 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
09:11:18 2015 /sbin/ifconfig tun0 10.111.0.1 pointopoint 10.111.0.2 mtu 1500
09:11:18 2015 /sbin/route add -net 10.111.0.0 netmask 255.255.0.0 gw 10.111.0.2
09:11:18 2015 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
09:11:18 2015 GID set to openvpn
09:11:18 2015 UID set to openvpn
09:11:18 2015 UDPv4 link local (bound): [AF_INET]172.16.0.242:1194
09:11:18 2015 UDPv4 link remote: [undef]
09:11:18 2015 MULTI: multi_init called, r=256 v=256
09:11:18 2015 IFCONFIG POOL: base=10.111.0.4 size=16382, ipv6=0
09:11:18 2015 ifconfig_pool_read(), in='jean.paul,10.111.0.4', TODO: IPv6
09:11:18 2015 succeeded -> ifconfig_pool_set()
09:11:18 2015 IFCONFIG POOL LIST
09:11:18 2015 jean.paul,10.111.0.4
09:11:18 2015 Initialization Sequence Completed
09:11:36 2015 MULTI: multi_create_instance called
09:11:36 2015 C.C.C.C:59020 Re-using SSL/TLS context
09:11:36 2015 C.C.C.C:59020 Control Channel MTU parms [ L:1541 D:166 EF:66 EB:0 ET:0 EL:0 ]
09:11:36 2015 C.C.C.C:59020 Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
09:11:36 2015 C.C.C.C:59020 Local Options hash (VER=V4): 'a2e2498c'
09:11:36 2015 C.C.C.C:59020 Expected Remote Options hash (VER=V4): '70f5b3af'
09:11:36 2015 C.C.C.C:59020 TLS: Initial packet from [AF_INET]C.C.C.C:59020, sid=50adf3db 2fbd2f0b
09:11:41 2015 C.C.C.C:59020 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /C=FR/ST=IDF/L=P/O=TEST/CN=jean.paul
09:11:41 2015 C.C.C.C:59020 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
09:11:41 2015 C.C.C.C:59020 TLS Error: TLS object -> incoming plaintext read error
09:11:41 2015 C.C.C.C:59020 TLS Error: TLS handshake failed
09:11:41 2015 C.C.C.C:59020 SIGUSR1[soft,tls-error] received, client-instance restarting

What do you think about this ?

[maikcat]

good afternoon (kalispera)

I would all services (per server) to use the same cert/key, it avoids me having to manage too much cert/key files.

all you do need is ONE ca ,but is recommended to have a ca per installation unless
of course security is not a big concern to you

And by the way, self-signed certificates... That's not the best for security

i didnt get that one...the only self signed cert is the ca itself

I use the comodo certificate as [ca.pem]
My private key as [ca.key]
And my certificate as [ca.crt]
Which makes me (my server key and cert) become the certification authority

you are joking right?
how did you create your ca.* certs?
your CA keys cant be used as server keys.

Michael.

[zepouletto]

Hi Michael,

What do you mean by a CA per installation ? (do you mean one CA per service or one CA per server)

No joke, it is the worst I could do but at least it would help me understanding where the problem resides... (just to debug) !
That's how I realised that in previous case, whene signing client csr, I was missing the CA.key (that I will never have).

So, to go back to the initial question... Is it possible to make openvpn run with those keys and certificates ?
It should but as I will never have the CA.key of Comodo and as I need one (the key/cert pair for the CA) to be able to sign and generate client certificates...

What is the best solution ?


Na exete kalimera

[zepouletto]

Hi,

By reading previous posts I realised that I wasn't very clear about the problem.

What I understood about openVPN:

You have a CA [key and crt couple]
You have the server [key and crt couple]
You have X clients [key and crt couple]

The CA is used to sign the server certificate, which is normal, that's what its used for.
But what I don't get, is that the CA seems to sign the client certificate ? Should'nt the server sign the client cert ? Or did I miss something ?

Thank you

[maikcat]

first i would like to clarify that the cert thing is NOT openvpns thing but its how SSL/TLS works.

i would try to be brief:

forget openvpn for now.

you have a CA (cert authority) which consists of a few files,among them ca.crt (which is public) and ca.key (which is private).

when you issue a new certificate (it could be ANY type of cert f.e for mail signing or for code signing or for user auth)
you actually perform 2 steps, first you create a csr (cert signing request) which can be done by anyone BUT
then to be known it MUST be signed by your ca (ca.key) after that anyone can match this cert against the CA it was signed.

ok so far?

lets bring openvpn to the picture now,
most users create their own CA and then they create their OWN certs , server or client its irrelevant since the
type is actually a cert with different OID.

after that EVERY cert which is signed by their CA is VALID for the servers point of view,
server is NOT keeping any type of cert database whatsoever....
if the incoming cert is signed by their CA IS valid...

for example,
i create by own ca and create a couple of keys (one server and the other clients)
i setup an openvpn installation which uses those keys,
after that my ca.key is compromised by you
you create a new cert and signed it with the ca.key you got from me
next you try to connect to MY openvpn server....

yes you connect .

do you understand why the CA thing is important?

Michael.

[zepouletto]

Hi,

Yes, no problem about he PKI infrastructure I know that it is not especially OpenVPN related...

Yep, we totaly agree on all that !
And that also why we use a "real" certificate Authorithy, as we hope that they will not get their KEY stolen

I was wrong as I thought that OpenVPN would sign its client certs with its own (server) cert, and not the CA itself...
This means that I cannot use a cert signed by an official CA for my server As I would need to ask that CA for a certificate for eache new ovpn client.

Do we agree ?

[maikcat]

This means that I cannot use a cert signed by an official CA for my server As I would need to ask that CA for a certificate for eache new ovpn client.

keep in mind that every cert signed by this CA WILL BE valid for your openvpn server.

just for your info look also at Intermediary CAs.

i usually build a CA for each of my customers and save the headache if one CA is compromised...

Michael.

[zepouletto]

Hi,

Yes, you are right, that's an emabarassing point... But that's also why in my configuration I combine the key/cert and an extra LDAP authentication !
I was thinking about an intermediate CA, but I have lack of information on those pratices.
I first need to read more about it, as my main problem is to avoid having to manage a thousand certificates that have all different validity dates.

Thank you for the help