Page 1 of 1
Client install not working- errors
Posted: Fri Oct 16, 2015 1:22 am
by dthommail
So I followed directions from Liquid Web to install OpenVPN on my server and laptop. The server host install seems OK but I am stuck trying to get the laptop client working. When I run # openvpn /etc/openvpn/client.conf this is the error message I get.
Thu Oct 15 20:16:50 2015 OpenVPN 2.3.8 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Aug 4 2015
Thu Oct 15 20:16:50 2015 library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.06
Thu Oct 15 20:16:50 2015 WARNING: No server certificate verification method has been enabled. See
http://openvpn.net/howto.html#mitm for more info.
Thu Oct 15 20:16:50 2015 Cannot load certificate file /etc/openvpn/easy-rsa/keys/client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Thu Oct 15 20:16:50 2015 Exiting due to fatal error
Where do I go from here?
Running Linux CentOS 7 on both.
Re: Client install not working- errors
Posted: Mon Oct 19, 2015 11:32 am
by Traffic
dthommail wrote:Cannot load certificate file /etc/openvpn/easy-rsa/keys/client.crt: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
This suggests there is something wrong with your client.crt
Did you use
easy-rsa to create your
PKI ?
Re: Client install not working- errors
Posted: Mon Oct 19, 2015 12:22 pm
by dthommail
Yes, I used easy-rsa. Any assistance you can offer would be greatly appreciated.
Re: Client install not working- errors
Posted: Wed Oct 28, 2015 10:26 am
by dthommail
Yes, I used easy-rsa.
Re: Client install not working- errors
Posted: Mon Nov 23, 2015 9:01 pm
by Traffic
dthommail wrote:Cannot load certificate file /etc/openvpn/easy-rsa/keys/client.crt <..> no start line:
Look in
that file for this sort of thing:
Code: Select all
Certificate:
Data:
Version: <..>
Serial Number: <..>
Signature Algorithm: <..>
Issuer: <..>
Validity
Not Before: <..>
Not After : <..>
Subject: <..>
Subject Public Key Info:
Public Key Algorithm: <..>
Public-Key: (x bit)
pub:
<..>
ASN1 OID: <..>
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
<..>
X509v3 Authority Key Identifier:
keyid:<..>
DirName:<..>
serial: <..>
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm:
<..>
-----BEGIN CERTIFICATE-----
<..>
-----END CERTIFICATE-----
Re: Client install not working- errors
Posted: Tue Nov 24, 2015 2:07 am
by dthommail
It follows your example up to Public-Key. The next line is Modulus: and then a whole bunch of hex number separated by colons and then "client.crt" 96L, 5488C.
Re: Client install not working- errors
Posted: Tue Nov 24, 2015 1:22 pm
by Traffic
Traffic wrote:Yes, I used easy-rsa.
Did you create the cert with a password or without ?
< ./easyrsa build-key > or < ./easyrsa build-client-full > will, by default, encrypt with a password .. use the nopass option to over-ride.
Re: Client install not working- errors
Posted: Tue Nov 24, 2015 2:05 pm
by dthommail
I used:
cd /etc/openvpn/easy-rsa
./build-key client
where client is the name I use for the client machine since there is only one right now. I did not see an option for passwords at all.
Re: Client install not working- errors
Posted: Tue Nov 24, 2015 2:07 pm
by dthommail
Re: Client install not working- errors
Posted: Tue Nov 24, 2015 2:24 pm
by Traffic
dthommail wrote:I used:
cd /etc/openvpn/easy-rsa
./build-key client
This means your client cert has been created
with a password.
Re: Client install not working- errors
Posted: Tue Nov 24, 2015 5:44 pm
by dthommail
Should I delete the old cert and create a new one? What is the password for?
Re: Client install not working- errors
Posted: Tue Nov 24, 2015 6:55 pm
by Traffic
dthommail wrote:Should I delete the old cert and create a new one?
Can you remember the password ?
dthommail wrote:What is the password for?
To encrypt your cert/key allowing a
questionable * layer of security ..
- questionable * : Because a lot of people then store the password in plain text ..
EasyRSA Guide:
https://community.openvpn.net/openvpn/wiki/EasyRSA
Re: Client install not working- errors
Posted: Tue Nov 24, 2015 8:15 pm
by dthommail
I don't remember the password or being prompted to make one.