OpenVPN not working with own PKI (CA-SubCA)



  • Hello everyone,

    I have a big problem with OpenVPN. Maybe the issue in in Certificate Manager itself. I found no helping Info in the Interwebs.

    Plattform: ALIX Board PfSense 2.1.5 (2.2 Alpha has the same issue)

    What is working:

    • Root XCA cert imported with key and used as internal CA ==> Ovpn Client connects fine
    • PfSense self generated cert ==> Ovpn Client connects fine

    Not working:
    Following PKI infrastructure should get deployed:

    • XCA generated RootCA (signs other CA's) ==> XCA generated SubCA (Signs Users/Hosts)
    • Revocation Lists are uploaded and working

    I imported the root cert and the subCA (cert+key) in certmanager
    Created new user Key
    Exported the config file

    oVPN Config:
    Remote Access (SSL/TLS + User Auth)
    Peer Certificate Authority: SubCA
    Server Certificate: Generated from SubCA on Pfsense

    Client Config (made with export Package):

    Client Config:
    dev tun
    persist-tun
    persist-key
    cipher AES-128-CBC
    auth SHA1
    tls-client
    client
    resolv-retry infinite
    remote vpn.***.info 1194 udp
    lport 0
    verify-x509-name "vpn.***.info" name
    auth-user-pass
    ns-cert-type server
    
     <ca>-----BEGIN CERTIFICATE-----
    SubCA
    -----END CERTIFICATE-----</ca> 
     <cert>-----BEGIN CERTIFICATE-----
    UserCert
    -----END CERTIFICATE-----</cert> 
     <key>-----BEGIN PRIVATE KEY-----
    UserKey
    -----END PRIVATE KEY-----</key> 
     <tls-auth>#
    # 2048 bit OpenVPN static key
    #
    -----BEGIN OpenVPN Static key V1-----
    ***
    -----END OpenVPN Static key V1-----</tls-auth> 
     key-direction 1
    

    Errors Client:
    Wed Sep 10 10:00:01 2014 UDPv4 link remote: [AF_INET]...:1194
    Wed Sep 10 10:00:01 2014 VERIFY ERROR: depth=1, error=unable to get local issuer certificate: C=, ST=, L=, O=KIM, OU=, CN=, emailAddress=@_._
    Wed Sep 10 10:00:01 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Wed Sep 10 10:00:01 2014 TLS Error: TLS object -> incoming plaintext read error
    Wed Sep 10 10:00:01 2014 TLS Error: TLS handshake failed
    Wed Sep 10 10:00:01 2014 SIGUSR1[soft,tls-error] received, process restarting

    Server Log:
    Sep 10 10:03:51 openvpn[41723]: IP:51790 TLS: Initial packet from [AF_INET]IP:51790, sid=**** ****
    Sep 10 10:03:54 openvpn[41723]: MULTI: multi_create_instance called
    Sep 10 10:03:54 openvpn[41723]: IP:64282 Re-using SSL/TLS context
    Sep 10 10:03:54 openvpn[41723]: IP:64282 Control Channel MTU parms [ L:1557 D:166 EF:66 EB:0 ET:0 EL:0 ]
    Sep 10 10:03:54 openvpn[41723]: IP:64282 Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ]
    Sep 10 10:03:54 openvpn[41723]: IP:64282 Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 0,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-server'
    Sep 10 10:03:54 openvpn[41723]: IP:64282 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client'
    Sep 10 10:03:54 openvpn[41723]: IP:64282 Local Options hash (VER=V4): ''
    Sep 10 10:03:54 openvpn[41723]: IP:64282 Expected Remote Options hash (VER=V4): '
    '

    I Try'd Cert Chaining of the SubCA+RootCA Certs with no success. Maybe I did it wrong.
    Any help is greatly appreciated

    //Edit
    Ok now I know why. Its an unresolved Bug thats open since more than a year: https://redmine.pfsense.org/issues/2800


Log in to reply