FS#54589 - [openssl] [openvpn]
Attached to Project:
Arch Linux
Opened by John (graysky) - Sunday, 25 June 2017, 18:27 GMT
Last edited by Doug Newgard (Scimmia) - Monday, 26 June 2017, 22:41 GMT
Opened by John (graysky) - Sunday, 25 June 2017, 18:27 GMT
Last edited by Doug Newgard (Scimmia) - Monday, 26 June 2017, 22:41 GMT
|
Details
I am unable to connect to my openvpn server on a new box
(client and server both run Arch x86_64). I believe that
OpenVPN is rejecting a self-signed CA signature now whereas
it did not in the past. Around November of 2016 when we were
on openssl-1.0.2j, I did not experience this issue
generating my openvpn files under that version. For example,
multiple servers I created then still works to this day
using the identical procedure to generate the
key/certs[1].
Excerpt from openvpn client trying to connect: VERIFY ERROR: depth=1, error=self signed certificate in certificate chain: CN=ease CA OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed TLS_ERROR: BIO read tls_read_plaintext error TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed Fatal TLS error (check_tls_errors_co), restarting SIGUSR1[soft,tls-error] received, process restarting Restart pause, 5 second(s) Are there any Arch modification that might explain breakage of self-signed certs? Again, this all worked (tested multiple times on newly spun up servers in the November/2016 time frame). Additional info: openssl 1.1.0.f-1 openvpn 2.4.3-1 Attachments: server.log - the openvpn server log client.log - the openvpn client log myserver.conf - the openvpn conf myclient.conf - a sanitized (my certs have been removed) client conf to give you the skeleton Steps to reproduce: 1) Install easy-rsa and openvpn. 2) Follow the Easy-RSA wiki page[1] to create a functional openvpn server (create CA and server certs, sign them etc as documented). 3) Create a client.conf from these files (manually or use ovpngen[2]. 4) Run openvpn server on the server and attempt to connect using the client.conf you created. References: Discussion thread: https://bbs.archlinux.org/viewtopic.php?id=227632 1. https://wiki.archlinux.org/index.php/Easy-RSA 2. https://github.com/graysky2/ovpngen |
This task depends upon
On my server, I have:
# ls /etc/openvpn/server
ca.crt dh.pem server.conf server.crt server.key ta.key
My client profile was generated using [2].