OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

Use signed certificate

https://forums.openvpn.net/viewtopic.php?t=8914

Page 1 of 1

Use signed certificate

Posted: Mon Oct 03, 2011 9:56 am
by Darkuja
Hi

I am actually trying to used our signed certificate fo our server. Everyone should be able to log in without any certificate. I've made a test with a self-signed and it works perfectly. I just put the ca.cert and the .ovpn in the client configuration folder and it's good. I'd like to make the same, but with our certificate now.

Here is my configuration:

Code: Select all

port 1194
proto udp
dev tun
ca GeoTrust_Global_CA.cer
cert lafourchette.com.pem
key lafourchette.com.key
dh dh2048.pem
server ***** 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route **** 255.255.254.0"
push "route **** 255.255.255.240"
push "route **** 255.255.255.240"
push "dhcp-option DOMAIN ****.lan"
push "dhcp-option DNS ****"
push "dhcp-option DNS ****"
keepalive 10 120
comp-lzo
persist-key
persist-tun
status openvpn-status.log
verb 3
plugin /usr/lib/openvpn/openvpn-auth-ldap.so /etc/openvpn/auth/auth-ldap.conf
client-cert-not-required
Here is a log from the client:

Code: Select all

Mon Oct 03 11:23:27 2011 Restart pause, 2 second(s)
Mon Oct 03 11:23:29 2011 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Mon Oct 03 11:23:29 2011 NOTE: --script-security method='system' is deprecated due to the fact that passed parameters will be subject to shell expansion
Mon Oct 03 11:23:29 2011 Re-using SSL/TLS context
Mon Oct 03 11:23:29 2011 LZO compression initialized
Mon Oct 03 11:23:29 2011 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mon Oct 03 11:23:29 2011 Socket Buffers: R=[8192->8192] S=[8192->8192]
Mon Oct 03 11:23:29 2011 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Oct 03 11:23:29 2011 Local Options hash (VER=V4): '41690919'
Mon Oct 03 11:23:29 2011 Expected Remote Options hash (VER=V4): '530fdded'
Mon Oct 03 11:23:29 2011 UDPv4 link local: [undef]
Mon Oct 03 11:23:29 2011 UDPv4 link remote: ****:1194
Mon Oct 03 11:23:29 2011 TLS: Initial packet from ****:1194, sid=13fe57af 03535ce2
Mon Oct 03 11:23:30 2011 VERIFY OK: depth=2, /C=US/O=GeoTrust_Inc./CN=GeoTrust_Global_CA
Mon Oct 03 11:23:30 2011 VERIFY OK: depth=1, /C=US/O=GeoTrust__Inc./CN=RapidSSL_CA
Mon Oct 03 11:23:30 2011 VERIFY nsCertType ERROR: /serialNumber=CakKRQGp02EewpGOLxx-r1QLXGaGl60Q/C=FR/O=_.lafourchette.com/OU=GT72845239/OU=See_www.rapidssl.com/resources/cps__c_11/OU=Domain_Control_Validated_-_RapidSSL_R_/CN=_.lafourchette.com, require nsCertType=SERVER
Mon Oct 03 11:23:30 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mon Oct 03 11:23:30 2011 TLS Error: TLS object -> incoming plaintext read error
Mon Oct 03 11:23:30 2011 TLS Error: TLS handshake failed
Mon Oct 03 11:23:30 2011 TCP/UDP: Closing socket
Mon Oct 03 11:23:30 2011 SIGUSR1[soft,tls-error] received, process restarting
Mon Oct 03 11:23:30 2011 Restart pause, 2 second(s)
I probably missed something here, but can't see what :(

Any advice?

Re: Use signed certificate

Posted: Mon Oct 03, 2011 11:45 am
by janjust
you've built your server cert using
./build-key <server>
or something similar yet your client expects the certificate to have a Netscape "server" attribute:
VERIFY nsCertType ERROR: /serialNumber=CakKRQGp02EewpGOLxx-r1QLXGaGl60Q/C=FR/O=_.lafourchette.com/OU=GT72845239/OU=See_www.rapidssl.com/resources/cps__c_11/OU=Domain_Control_Validated_-_RapidSSL_R_/CN=_.lafourchette.com, require nsCertType=SERVER
either generate a certificate that has this attribute (e.g. using './build-key-server') or remove the line

Code: Select all

ns-cert-type server
from the client config.

Re: Use signed certificate

Posted: Mon Oct 03, 2011 12:14 pm
by Darkuja
Hmm...

Maybe I wasn't clear. The certificate has been isued by a trusted CA (RapidSSL) and is not self-signed.
I can't use ./build-key-server since I didnt generate the certificate and their is no "ns-cert-type server" in the client configuration

Re: Use signed certificate

Posted: Mon Oct 03, 2011 12:31 pm
by janjust
Please post the client config - I just tried connecting to your server and did not get any SSL errors from the server (of course, the server did not accept me, but that'a different matter).

Re: Use signed certificate

Posted: Mon Oct 03, 2011 12:48 pm
by Darkuja
My bad. when i stripped off the comments, i noticed the "ns-cert-type server" line. I failed my ctrl-f.
This is solved when I removed this.

Is this still as secure as before?

Re: Use signed certificate

Posted: Mon Oct 03, 2011 8:45 pm
by janjust
'ns-cert-type server' serves as an extra precaution so that your vpn clients will only connect to a machine that has a server certificate; the 'ns-cert-type' attribute is a little out of date, newer server-only certificates have a different attribute set. You can check for the existence of this attribute using

Code: Select all

remote-cert-tls server
(openvpn 2.1+)
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/