Odd line endings when OpenVPN auth files pasted through browser

oddomatik · Mar 3, 2017, 6:35 AM

Mar 2 22:18:02 openvpn 33150 OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
Mar 2 22:18:02 openvpn 33150 OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Mar 2 22:18:02 openvpn 33150 Cannot load certificate file /var/etc/openvpn/client1.cert
Mar 2 22:18:02 openvpn 33150 Exiting due to fatal error

None of my files created for OpenVPN will load, and I believe the issue to be due to ^M line endings that appear in files when pasted through a web browser.

client1.key, client1.tls-auth, client1.ca, client1.cert all show ^M at the end of some or every line (depending on file) when pasted through a web browser and viewed in vi text editor on the router via SSH.

The files look fine when viewed through "file editor" in pfsense web ui.

I have tried plain-text pastes from Mac and Linux-based machines, and pasting into plain text editor first, echo'ing from terminal and then pasting, etc etc.

Of course, manual overrides via ee or vi are simply overwritten whenever openvpn is started through webui, and I'm not sure how to get the daemon running via CLI off the top of my head, so no workaround has been discovered yet.

I have tried v2.3.3 and another recent version.

A workaround would be greatly appreciated.

jimp · Mar 3, 2017, 3:16 PM

The line endings don't matter there. OpenVPN and OpenSSL don't care how the lines are terminated.

What is in /var/etc/openvpn/client1.cert ?

It should be safe to paste the contents here, though you can omit the middle cert data, keep the start/end lines.

Usually that means the start/end lines are missing or mangled, e.g. missing:

-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----

Even if one of those "-" went missing it could cause a problem.

jimp · Mar 3, 2017, 3:16 PM

Also make sure your certificate has the correct private key in place (also with the proper start/end lines)

oddomatik · Mar 3, 2017, 6:02 PM

@jimp:

The line endings don't matter there. OpenVPN and OpenSSL don't care how the lines are terminated.

What is in /var/etc/openvpn/client1.cert ?

It should be safe to paste the contents here, though you can omit the middle cert data, keep the start/end lines.

Usually that means the start/end lines are missing or mangled, e.g. missing:
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
Even if one of those "-" went missing it could cause a problem.

@jimp:

Also make sure your certificate has the correct private key in place (also with the proper start/end lines)

I suspect I'm missing something basic as to where the certs and keys are supposed to go. Perhaps I need something different for the ca cert?

The contents are pasted from and confirmed the same as my working local configuration. *** denotes redacted information.

root@***:/home/***/pf# diff --strip-trailing-cr /etc/openvpn/***-x509/***x509-ca.crt client1.ca 
root@***:/home/***/pf# diff --strip-trailing-cr /etc/openvpn/***-x509/***-***.csr client1.cert
root@***:/home/***/pf# diff --strip-trailing-cr /etc/openvpn/***-x509/***-***.key client1.key 
root@***:/home/***/pf#

(no difference in files)

root@***:/home/brian/pf# cat client1.conf 
dev ovpnc1
verb 3
dev-type tap
dev-node /dev/tap1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
tls-client
client
nobind
management /var/etc/openvpn/client1.sock unix
remote ***.net 1194
ca /var/etc/openvpn/client1.ca 
cert /var/etc/openvpn/client1.cert 
key /var/etc/openvpn/client1.key 
tls-auth /var/etc/openvpn/client1.tls-auth 1
comp-lzo yes
resolv-retry infinite

And the working, local configuration:

root@deepdream:/home/brian/pf# cat /etc/openvpn/***-x509/***-x509.conf 
client
dev tap
proto udp
remote ***.net 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ***x509-ca.crt
cert ***-***.csr
key ***-***.key
tls-auth ***x509-ta.key 1
cipher AES-256-CBC
comp-lzo
verb 3

on local machine:

root@***:/home/***/pf# openssl req -text -noout -verify -in /etc/openvpn/***-x509/***-***.csr 
verify OK
[ ... ]

root@***:/home/***/pf# openssl rsa -in /etc/openvpn/***-x509/***-***.key -check
RSA key ok
[ ... ]

root@***:/home/***/pf# openssl x509 -in /etc/openvpn/***-x509/***x509-ca.crt -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 15222987348636325694 (0xd342ea56b7bbd73e)
    Signature Algorithm: sha1WithRSAEncryption
[ ... ]

====== ON PFSENSE:

[2.3.3-RELEASE][admin@pfSense.localdomain]/var/etc/openvpn: openssl x509 -noout -modulus -in client1.crt| openssl md5
Error opening Certificate client1.crt
34379201032:error:02001002:system library:fopen:No such file or directory:/builder/pfsense-233/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:398:fopen('client1.crt','r')
34379201032:error:20074002:BIO routines:FILE_CTRL:system lib:/builder/pfsense-233/tmp/FreeBSD-src/secure/lib/libcrypto/../../../crypto/openssl/crypto/bio/bss_file.c:400:
unable to load certificate

Does this suggest a missing library?

jimp · Mar 3, 2017, 5:49 PM

A CSR is not a certificate, it's a request for a certificate. You should have a .crt or .pem file for that somewhere that isn't a .csr

No missing library, it just can't read what it expects to read out of the file.

oddomatik · Mar 3, 2017, 6:07 PM

@jimp:

A CSR is not a certificate, it's a request for a certificate. You should have a .crt or .pem file for that somewhere that isn't a .csr

No missing library, it just can't read what it expects to read out of the file.

Thank you, this does make sense, but the part that is tripping me up is in the openvpn configuration: "cert".

Since when I enter the .csr into pfsense CA, it adds it as the "cert" configuration and this matches my local working configuration…

As far as I currently understand, the provided cert/key are meant to go in the "certificates" section, so I should probably be asking my certificate issuer what should be going in the cert authority certificate section...

Thanks for helping me understand.

kpa · Mar 3, 2017, 6:46 PM

A csr file would never work as a certificate (argument for the cert option) for OpenVPN, it's just a certificate request that can not be used for anything else but sending it to a certificate authority for signing and getting the real certificate. Make sure you're not mixing up files.

oddomatik · Mar 3, 2017, 10:00 PM

@kpa:

A csr file would never work as a certificate (argument for the cert option) for OpenVPN, it's just a certificate request that can not be used for anything else but sending it to a certificate authority for signing and getting the real certificate. Make sure you're not mixing up files.

The configuration I was referencing was an old not working one… of course the csr did not work when configured as cert.