Page 1 of 1

Inline cert/key woes.

Posted: Wed Dec 08, 2021 11:16 am
by damienh
Hi, I'm trying to set up a config with inline everything for the purposes of the iOS client. After some IRC help I managed to get the inline strings of keys and certificates, so I copied the output of openssl base64 -in file.crt/key/pem to a structure similar to this example. I checked and I copied it correctly and I can't find any issues with the tags, but I'm still getting:

Code: Select all

OpenSSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode
OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
The config looks like this:

Code: Select all

tls-client
dev tun
remote vpn.server.com
proto udp
port 1194
pull
#tls-cipher "DEFAULT:@SECLEVEL=0"
comp-lzo
verb 5
resolv-retry infinite
nobind
key-direction 1

<ca>
-----BEGIN CERTIFICATE-----
LS0tLS1C[...]tLS0tLQ0K
-----END CERTIFICATE-----
</ca>

<tls-auth>
-----BEGIN OpenVPN Static key V1-----
Iw0KIy[...]LS0tLQ0K
-----END OpenVPN Static key V1-----
</tls-auth>

<key>
-----BEGIN RSA PRIVATE KEY-----
LS0tLS1[...]ktLS0tLQo=
-----END RSA PRIVATE KEY-----
</key>

<cert>
-----BEGIN CERTIFICATE-----
Q2VydGl[...]RS0tLS0tCg==
-----END CERTIFICATE-----
</cert>
I guess the problem is with the .pem file used in <ca>? I tried was also getting these before I started playing with the "DEFAULT:@SECLEVEL=0" line for some reason, not getting it anymore:

Code: Select all

OpenSSL: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
OpenSSL: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
OpenSSL: error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib
OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Oh and the iOS OpeVPN Connect client throws out just a nonspecific "parse_hex_error".

Any help is appreciated!

Re: Inline cert/key woes.

Posted: Sat Dec 11, 2021 10:03 pm
by openvpn_inc
Hello damienh,

Sounds to me like you somehow managed to make your certificate/key into a format OpenVPN doesn't expect.

If you currently have a config file and a separate certificate or key file, don't use OpenSSL to do anything with that separate certificate or key file. Just open the certificate or key in a text editor. Copy/paste that content. Then open the config file. And paste the content in your clipboard inbetween the <ca></ca> or <cert></cert> or <key></key> etc blocks.

If things still break you should take another careful look at your keys/certificates as they are apparently in a format OpenVPN doesn't expect.

Kind regards,
Johan

Re: Inline cert/key woes.

Posted: Sun Dec 12, 2021 2:55 pm
by damienh
Oh I see, perfect! It's working now. I had to replace all of those certificate strings though.

Sorry, I was following this man page and maybe I just misunderstood it.