Help: error=unsupported certificate purpose

[BruceUK]

Greetings

I've been struggling for 2 weeks now so really hoping the list can offer some help. I purchased Jan Keijser's OpenVPN 2 Cookbook (Which has been an enormous help)...but I'm stuck with an annoying TLS_ERROR.

The Setup:
Fedora 12 (openvpn client)
openvpn-2.1.1-2.fc12.x86_64

On this same server I'm running vmware desktop with a Fedora 13 guest (openvpn server)
openvpn-2.1.1-2.fc13.x86_64

I cleaned out /etc/openvpn on both systems
Copied easy-rsa to /tmp, edited "vars" and ran the following commands
cd /tmp/easy-rsa

. ./vars
./clean-all
./build-ca --pass
./build-key-server server
./build-key-server --batch client
./build-dh
openvpn --genkey --secret ta.key

I copied the resulting server keys to (/etc/openvpn/keys)
-rw-r--r-- 1 root root 1444 Jun 2 17:21 ca.crt
-rw-r--r-- 1 root root 245 Jun 2 17:23 dh1024.pem
-rw-r--r-- 1 root root 4213 Jun 2 17:22 server.crt
-rw------- 1 root root 912 Jun 2 17:22 server.key


Then I created the server.conf file [ Fedora 13 vmware guest ] (/etc/openvpn/server.conf)
proto tcp
port 1194
dev tun
server 10.0.0.0 255.255.255.0

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem

script-security 2


I then created the client.conf [ Fedora 12 "main pc" ] (/etc/openvpn/client.conf)
client
proto tcp
port 1194
dev tun
nobind
remote plxweb01
remote-cert-tls server
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/client.crt
key /etc/openvpn/keys/client.key
script-security 2
keepalive 10 60


I used "scp" to copy the client keys to the client (/etc/openvpn/keys)
-rw-r--r-- 1 root root 1444 2011-06-02 17:21 ca.crt
-rw-r--r-- 1 root root 4162 2011-06-02 17:30 client.crt
-rw------- 1 root root 916 2011-06-02 17:30 client.key


I then start openvpn on the "server":
[root@plxweb01 ~]# openvpn --config /etc/openvpn/server.conf
Thu Jun 2 21:22:14 2011 OpenVPN 2.1.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Jan 5 2010
Thu Jun 2 21:22:14 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jun 2 21:22:14 2011 TUN/TAP device tun0 opened
Thu Jun 2 21:22:14 2011 /sbin/ip link set dev tun0 up mtu 1500
Thu Jun 2 21:22:14 2011 /sbin/ip addr add dev tun0 local 10.0.0.1 peer 10.0.0.2
Thu Jun 2 21:22:14 2011 Listening for incoming TCP connection on [undef]:1194
Thu Jun 2 21:22:14 2011 TCPv4_SERVER link local (bound): [undef]:1194
Thu Jun 2 21:22:14 2011 TCPv4_SERVER link remote: [undef]
Thu Jun 2 21:22:14 2011 Initialization Sequence Completed




and then I start the client:
[root@core ~]# openvpn --config /etc/openvpn/client.conf
Thu Jun 2 21:22:52 2011 OpenVPN 2.1.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Jan 5 2010
Thu Jun 2 21:22:52 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jun 2 21:22:52 2011 Attempting to establish TCP connection with 192.100.1.21:1194 [nonblock]
Thu Jun 2 21:22:53 2011 TCP connection established with 192.100.1.21:1194
Thu Jun 2 21:22:53 2011 TCPv4_CLIENT link local: [undef]
Thu Jun 2 21:22:53 2011 TCPv4_CLIENT link remote: 192.100.1.21:1194
Thu Jun 2 21:22:53 2011 Connection reset, restarting [0]
Thu Jun 2 21:22:53 2011 SIGUSR1[soft,connection-reset] received, process restarting


Looking at the server logs (screen output) , I am unable to rectify the following error:

Thu Jun 2 21:22:51 2011 192.100.1.10:40418 VERIFY ERROR: depth=0, error=unsupported certificate purpose /C=GB/ST=Greater_London/L=London/O=Veritrack_Limited/CN=client/emailAddress=infosec@veritrack.co.uk
Thu Jun 2 21:22:51 2011 192.100.1.10:40418 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Thu Jun 2 21:22:51 2011 192.100.1.10:40418 TLS Error: TLS object -> incoming plaintext read error
Thu Jun 2 21:22:51 2011 192.100.1.10:40418 TLS Error: TLS handshake failed
Thu Jun 2 21:22:51 2011 192.100.1.10:40418 Fatal TLS error (check_tls_errors_co), restarting[/color]


Both systems have /etc/hosts entries for their short names and FQDN
Both systems use ntp to keep their date/time in sync
Both systems are currently in "BST" time (Thu Jun 2 21:25:36 BST 2011)

Any ideas?
I was wondering if I need to add the car.crt to the "openssl" list of trusted CA's ? (/etc/pki/tls)

When I try and verify ca.cert with openssl, I get the following errors:
[root@plxweb01 keys]# pwd
/etc/openvpn/keys

[root@plxweb01 keys]# openssl verify ca.crt
ca.crt: C = GB, ST = Greater London, L = London, O = Veritrack Limited, CN = Veritrack Limited CA, name = Bruce Bushby, emailAddress = infosec@veritrack.co.uk
error 18 at 0 depth lookup:self signed certificate
OK

[root@plxweb01 keys]# openssl verify -CAfile ca.crt ca.crt
ca.crt: OK

[root@plxweb01 keys]# openssl verify -CAfile server.crt server.crt
server.crt: C = GB, ST = Greater London, L = London, O = Veritrack Limited, CN = server, name = Bruce Bushby, emailAddress = infosec@veritrack.co.uk
error 20 at 0 depth lookup:unable to get local issuer certificate
[root@plxweb01 keys]#


Apologies for the long/detailed post....hopefully somebody else will find it useful.

Any help would be much appreciated!
Cheers
Bruce

[janjust]

try recreating the client cert using

Code: Select all

./build-key --batch client

(i.e. remove '-server')

as for the 'openssl verify' commands: the ca.crt is always self-signed; you can verify the server and client certs using

Code: Select all

openssl verify -CAfile ca.crt server.crt
openssl verify -CAfile ca.crt client.crt

[BruceUK]

Hi Jan

Thanks for the help, really appreciate it!!!

I recreated the key and I now have tun0 on the client

[root@core ~]# openvpn --config /etc/openvpn/client.conf
Thu Jun 2 23:28:59 2011 OpenVPN 2.1.1 x86_64-redhat-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] built on Jan 5 2010
Thu Jun 2 23:28:59 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jun 2 23:28:59 2011 Attempting to establish TCP connection with 192.100.1.21:1194 [nonblock]
Thu Jun 2 23:29:00 2011 TCP connection established with 192.100.1.21:1194
Thu Jun 2 23:29:00 2011 TCPv4_CLIENT link local: [undef]
Thu Jun 2 23:29:00 2011 TCPv4_CLIENT link remote: 192.100.1.21:1194
Thu Jun 2 23:29:00 2011 [server] Peer Connection Initiated with 192.100.1.21:1194
Thu Jun 2 23:29:02 2011 TUN/TAP device tun0 opened
Thu Jun 2 23:29:02 2011 /sbin/ip link set dev tun0 up mtu 1500
Thu Jun 2 23:29:02 2011 /sbin/ip addr add dev tun0 local 10.0.0.6 peer 10.0.0.5
Thu Jun 2 23:29:02 2011 Initialization Sequence Completed


And thanks for the book!! I've been struggling to get my head around pki and vpn. I skipped to chapter 2 and 12 pages later I have a working vpn....I should have paid more attention to the xterm example block on page 35....it also says "build-key --batch client"

Cheers
Bruce