Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Odd line endings when OpenVPN auth files pasted through browser

    Scheduled Pinned Locked Moved OpenVPN
    8 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      oddomatik
      last edited by

      Mar 2 22:18:02 openvpn 33150 OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
      Mar 2 22:18:02 openvpn 33150 OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
      Mar 2 22:18:02 openvpn 33150 Cannot load certificate file /var/etc/openvpn/client1.cert
      Mar 2 22:18:02 openvpn 33150 Exiting due to fatal error

      None of my files created for OpenVPN will load, and I believe the issue to be due to ^M line endings that appear in files when pasted through a web browser.

      client1.key, client1.tls-auth, client1.ca, client1.cert all show ^M at the end of some or every line (depending on file) when pasted through a web browser and viewed in vi text editor on the router via SSH.

      The files look fine when viewed through "file editor" in pfsense web ui.

      I have tried plain-text pastes from Mac and Linux-based machines, and pasting into plain text editor first, echo'ing from terminal and then pasting, etc etc.

      Of course, manual overrides via ee or vi are simply overwritten whenever openvpn is started through webui, and I'm not sure how to get the daemon running via CLI off the top of my head, so no workaround has been discovered yet.

      I have tried v2.3.3 and another recent version.

      A workaround would be greatly appreciated.

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The line endings don't matter there. OpenVPN and OpenSSL don't care how the lines are terminated.

        What is in /var/etc/openvpn/client1.cert ?

        It should be safe to paste the contents here, though you can omit the middle cert data, keep the start/end lines.

        Usually that means the start/end lines are missing or mangled, e.g. missing:

        -----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

        Even if one of those "-" went missing it could cause a problem.

        Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • jimpJ
          jimp Rebel Alliance Developer Netgate
          last edited by

          Also make sure your certificate has the correct private key in place (also with the proper start/end lines)

          Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 0
          • O
            oddomatik
            last edited by

            @jimp:

            The line endings don't matter there. OpenVPN and OpenSSL don't care how the lines are terminated.

            What is in /var/etc/openvpn/client1.cert ?

            It should be safe to paste the contents here, though you can omit the middle cert data, keep the start/end lines.

            Usually that means the start/end lines are missing or mangled, e.g. missing:

            -----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

            Even if one of those "-" went missing it could cause a problem.

            @jimp:

            Also make sure your certificate has the correct private key in place (also with the proper start/end lines)

            I suspect I'm missing something basic as to where the certs and keys are supposed to go. Perhaps I need something different for the ca cert?

            The contents are pasted from and confirmed the same as my working local configuration. *** denotes redacted information.

            root@***:/home/***/pf# diff --strip-trailing-cr /etc/openvpn/***-x509/***x509-ca.crt client1.ca 
root@***:/home/***/pf# diff --strip-trailing-cr /etc/openvpn/***-x509/***-***.csr client1.cert
root@***:/home/***/pf# diff --strip-trailing-cr /etc/openvpn/***-x509/***-***.key client1.key 
root@***:/home/***/pf#

            (no difference in files)

            root@***:/home/brian/pf# cat client1.conf 
dev ovpnc1
verb 3
dev-type tap
dev-node /dev/tap1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
tls-client
client
nobind
management /var/etc/openvpn/client1.sock unix
remote ***.net 1194
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
tls-auth /var/etc/openvpn/client1.tls-auth 1
comp-lzo yes
resolv-retry infinite

            And the working, local configuration:

            root@deepdream:/home/brian/pf# cat /etc/openvpn/***-x509/***-x509.conf 
client
dev tap
proto udp
remote ***.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ***x509-ca.crt
cert ***-***.csr
key ***-***.key
tls-auth ***x509-ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3

            on local machine:

            root@***:/home/***/pf# openssl req -text -noout -verify -in /etc/openvpn/***-x509/***-***.csr 
verify OK
[ ... ]

root@***:/home/***/pf# openssl rsa -in /etc/openvpn/***-x509/***-***.key -check
RSA key ok
[ ... ]

root@***:/home/***/pf# openssl x509 -in /etc/openvpn/***-x509/***x509-ca.crt -text -noout
Certificate:
Ā  Ā  Data:
Ā  Ā  Ā  Ā  Version: 3 (0x2)
Ā  Ā  Ā  Ā  Serial Number: 15222987348636325694 (0xd342ea56b7bbd73e)
Ā  Ā  Signature Algorithm: sha1WithRSAEncryption
[ ... ]

            ====== ON PFSENSE:

            [2.3.3-RELEASE][admin@pfSense.localdomain]/var/etc/openvpn: openssl x509 -noout -modulus -in client1.crt| openssl md5
Error opening Certificate client1.crt
34379201032:error:02001002:system library:fopen:No such file or directory:/builder/pfsense-233/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('client1.crt','r')
34379201032:error:20074002:BIO routines:FILE_CTRL:system lib:/builder/pfsense-233/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
unable to load certificate

            Does this suggest a missing library?

            1 Reply Last reply Reply Quote 0
            • jimpJ
              jimp Rebel Alliance Developer Netgate
              last edited by

              A CSR is not a certificate, it's a request for a certificate. You should have a .crt or .pem file for that somewhere that isn't a .csr

              No missing library, it just can't read what it expects to read out of the file.

              Remember: Upvote with the šŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

              Need help fast? Netgate Global Support!

              Do not Chat/PM for help!

              1 Reply Last reply Reply Quote 0
              • O
                oddomatik
                last edited by

                @jimp:

                A CSR is not a certificate, it's a request for a certificate. You should have a .crt or .pem file for that somewhere that isn't a .csr

                No missing library, it just can't read what it expects to read out of the file.

                Thank you, this does make sense, but the part that is tripping me up is in the openvpn configuration: "cert".

                Since when I enter the .csr into pfsense CA, it adds it as the "cert" configuration and this matches my local working configurationā€¦

                As far as I currently understand, the provided cert/key are meant to go in the "certificates" section, so I should probably be asking my certificate issuer what should be going in the cert authority certificate section...

                Thanks for helping me understand.

                1 Reply Last reply Reply Quote 0
                • K
                  kpa
                  last edited by

                  A csr file would never work as a certificate (argument for the cert option) for OpenVPN, it's just a certificate request that can not be used for anything else but sending it to a certificate authority for signing and getting the real certificate. Make sure you're not mixing up files.

                  1 Reply Last reply Reply Quote 0
                  • O
                    oddomatik
                    last edited by

                    @kpa:

                    A csr file would never work as a certificate (argument for the cert option) for OpenVPN, it's just a certificate request that can not be used for anything else but sending it to a certificate authority for signing and getting the real certificate. Make sure you're not mixing up files.

                    The configuration I was referencing was an old not working oneā€¦ of course the csr did not work when configured as cert.

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.