OpenVPN not working with own PKI (CA-SubCA)
-
Hello everyone,
I have a big problem with OpenVPN. Maybe the issue in in Certificate Manager itself. I found no helping Info in the Interwebs.
Plattform: ALIX Board PfSense 2.1.5 (2.2 Alpha has the same issue)
What is working:
- Root XCA cert imported with key and used as internal CA ==> Ovpn Client connects fine
- PfSense self generated cert ==> Ovpn Client connects fine
Not working:
Following PKI infrastructure should get deployed:- XCA generated RootCA (signs other CA's) ==> XCA generated SubCA (Signs Users/Hosts)
- Revocation Lists are uploaded and working
I imported the root cert and the subCA (cert+key) in certmanager
Created new user Key
Exported the config fileoVPN Config:
Remote Access (SSL/TLS + User Auth)
Peer Certificate Authority: SubCA
Server Certificate: Generated from SubCA on PfsenseClient Config (made with export Package):
Client Config: dev tun persist-tun persist-key cipher AES-128-CBC auth SHA1 tls-client client resolv-retry infinite remote vpn.***.info 1194 udp lport 0 verify-x509-name "vpn.***.info" name auth-user-pass ns-cert-type server <ca>-----BEGIN CERTIFICATE----- SubCA -----END CERTIFICATE-----</ca> <cert>-----BEGIN CERTIFICATE----- UserCert -----END CERTIFICATE-----</cert> <key>-----BEGIN PRIVATE KEY----- UserKey -----END PRIVATE KEY-----</key> <tls-auth># # 2048 bit OpenVPN static key # -----BEGIN OpenVPN Static key V1----- *** -----END OpenVPN Static key V1-----</tls-auth> key-direction 1
Errors Client:
Wed Sep 10 10:00:01 2014 UDPv4 link remote: [AF_INET]...:1194
Wed Sep 10 10:00:01 2014 VERIFY ERROR: depth=1, error=unable to get local issuer certificate: C=, ST=, L=, O=KIM, OU=, CN=, emailAddress=@_._
Wed Sep 10 10:00:01 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Wed Sep 10 10:00:01 2014 TLS Error: TLS object -> incoming plaintext read error
Wed Sep 10 10:00:01 2014 TLS Error: TLS handshake failed
Wed Sep 10 10:00:01 2014 SIGUSR1[soft,tls-error] received, process restartingServer Log:
Sep 10 10:03:51 openvpn[41723]: IP:51790 TLS: Initial packet from [AF_INET]IP:51790, sid=**** ****
Sep 10 10:03:54 openvpn[41723]: MULTI: multi_create_instance called
Sep 10 10:03:54 openvpn[41723]: IP:64282 Re-using SSL/TLS context
Sep 10 10:03:54 openvpn[41723]: IP:64282 Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ]
Sep 10 10:03:54 openvpn[41723]: IP:64282 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
Sep 10 10:03:54 openvpn[41723]: IP:64282 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
Sep 10 10:03:54 openvpn[41723]: IP:64282 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
Sep 10 10:03:54 openvpn[41723]: IP:64282 Local Options hash (VER=V4): ''
Sep 10 10:03:54 openvpn[41723]: IP:64282 Expected Remote Options hash (VER=V4): ''I Try'd Cert Chaining of the SubCA+RootCA Certs with no success. Maybe I did it wrong.
Any help is greatly appreciated//Edit
Ok now I know why. Its an unresolved Bug thats open since more than a year: https://redmine.pfsense.org/issues/2800