Odd line endings when OpenVPN auth files pasted through browser



  • Mar 2 22:18:02 openvpn 33150 OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
    Mar 2 22:18:02 openvpn 33150 OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
    Mar 2 22:18:02 openvpn 33150 Cannot load certificate file /var/etc/openvpn/client1.cert
    Mar 2 22:18:02 openvpn 33150 Exiting due to fatal error

    None of my files created for OpenVPN will load, and I believe the issue to be due to ^M line endings that appear in files when pasted through a web browser.

    client1.key, client1.tls-auth, client1.ca, client1.cert all show ^M at the end of some or every line (depending on file) when pasted through a web browser and viewed in vi text editor on the router via SSH.

    The files look fine when viewed through "file editor" in pfsense web ui.

    I have tried plain-text pastes from Mac and Linux-based machines, and pasting into plain text editor first, echo'ing from terminal and then pasting, etc etc.

    Of course, manual overrides via ee or vi are simply overwritten whenever openvpn is started through webui, and I'm not sure how to get the daemon running via CLI off the top of my head, so no workaround has been discovered yet.

    I have tried v2.3.3 and another recent version.

    A workaround would be greatly appreciated.


  • Rebel Alliance Developer Netgate

    The line endings don't matter there. OpenVPN and OpenSSL don't care how the lines are terminated.

    What is in /var/etc/openvpn/client1.cert ?

    It should be safe to paste the contents here, though you can omit the middle cert data, keep the start/end lines.

    Usually that means the start/end lines are missing or mangled, e.g. missing:

    -----BEGIN CERTIFICATE-----
    [...]
    -----END CERTIFICATE-----
    

    Even if one of those "-" went missing it could cause a problem.


  • Rebel Alliance Developer Netgate

    Also make sure your certificate has the correct private key in place (also with the proper start/end lines)



  • @jimp:

    The line endings don't matter there. OpenVPN and OpenSSL don't care how the lines are terminated.

    What is in /var/etc/openvpn/client1.cert ?

    It should be safe to paste the contents here, though you can omit the middle cert data, keep the start/end lines.

    Usually that means the start/end lines are missing or mangled, e.g. missing:

    -----BEGIN CERTIFICATE-----
    [...]
    -----END CERTIFICATE-----
    

    Even if one of those "-" went missing it could cause a problem.

    @jimp:

    Also make sure your certificate has the correct private key in place (also with the proper start/end lines)

    I suspect I'm missing something basic as to where the certs and keys are supposed to go. Perhaps I need something different for the ca cert?

    The contents are pasted from and confirmed the same as my working local configuration. *** denotes redacted information.

    root@***:/home/***/pf# diff --strip-trailing-cr /etc/openvpn/***-x509/***x509-ca.crt client1.ca 
    root@***:/home/***/pf# diff --strip-trailing-cr /etc/openvpn/***-x509/***-***.csr client1.cert
    root@***:/home/***/pf# diff --strip-trailing-cr /etc/openvpn/***-x509/***-***.key client1.key 
    root@***:/home/***/pf#
    

    (no difference in files)

    root@***:/home/brian/pf# cat client1.conf 
    dev ovpnc1
    verb 3
    dev-type tap
    dev-node /dev/tap1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-256-CBC
    auth SHA1
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    tls-client
    client
    nobind
    management /var/etc/openvpn/client1.sock unix
    remote ***.net 1194
    ca /var/etc/openvpn/client1.ca 
    cert /var/etc/openvpn/client1.cert 
    key /var/etc/openvpn/client1.key 
    tls-auth /var/etc/openvpn/client1.tls-auth 1
    comp-lzo yes
    resolv-retry infinite
    

    And the working, local configuration:

    root@deepdream:/home/brian/pf# cat /etc/openvpn/***-x509/***-x509.conf 
    client
    dev tap
    proto udp
    remote ***.net 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca ***x509-ca.crt
    cert ***-***.csr
    key ***-***.key
    tls-auth ***x509-ta.key 1
    cipher AES-256-CBC
    comp-lzo
    verb 3
    

    on local machine:

    root@***:/home/***/pf# openssl req -text -noout -verify -in /etc/openvpn/***-x509/***-***.csr 
    verify OK
    [ ... ]
    
    root@***:/home/***/pf# openssl rsa -in /etc/openvpn/***-x509/***-***.key -check
    RSA key ok
    [ ... ]
    
    root@***:/home/***/pf# openssl x509 -in /etc/openvpn/***-x509/***x509-ca.crt -text -noout
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 15222987348636325694 (0xd342ea56b7bbd73e)
        Signature Algorithm: sha1WithRSAEncryption
    [ ... ]
    

    ====== ON PFSENSE:

    [2.3.3-RELEASE][admin@pfSense.localdomain]/var/etc/openvpn: openssl x509 -noout -modulus -in client1.crt| openssl md5
    Error opening Certificate client1.crt
    34379201032:error:02001002:system library:fopen:No such file or directory:/builder/pfsense-233/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('client1.crt','r')
    34379201032:error:20074002:BIO routines:FILE_CTRL:system lib:/builder/pfsense-233/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
    unable to load certificate
    

    Does this suggest a missing library?


  • Rebel Alliance Developer Netgate

    A CSR is not a certificate, it's a request for a certificate. You should have a .crt or .pem file for that somewhere that isn't a .csr

    No missing library, it just can't read what it expects to read out of the file.



  • @jimp:

    A CSR is not a certificate, it's a request for a certificate. You should have a .crt or .pem file for that somewhere that isn't a .csr

    No missing library, it just can't read what it expects to read out of the file.

    Thank you, this does make sense, but the part that is tripping me up is in the openvpn configuration: "cert".

    Since when I enter the .csr into pfsense CA, it adds it as the "cert" configuration and this matches my local working configuration…

    As far as I currently understand, the provided cert/key are meant to go in the "certificates" section, so I should probably be asking my certificate issuer what should be going in the cert authority certificate section...

    Thanks for helping me understand.



  • A csr file would never work as a certificate (argument for the cert option) for OpenVPN, it's just a certificate request that can not be used for anything else but sending it to a certificate authority for signing and getting the real certificate. Make sure you're not mixing up files.



  • @kpa:

    A csr file would never work as a certificate (argument for the cert option) for OpenVPN, it's just a certificate request that can not be used for anything else but sending it to a certificate authority for signing and getting the real certificate. Make sure you're not mixing up files.

    The configuration I was referencing was an old not working one… of course the csr did not work when configured as cert.