From: Jan J. K. <ja...@ni...> - 2008-05-22 11:12:41
|
Hi Tomy, As Josh stated, this means that the certificate server.crt was *NOT* signed by ca.crt ; can you regenerate the server certificate? If you would like you can send me the 'server.crt' + 'ca.crt' files (via private email) and I can take a quick look at them. cheers, JJK tomy wrote: > Hi, > While running the command openssl verify -CAfile ca.crt server.crt , > getting an error like > server.crt: /C=IN/ST=BANGALORE/O=Kalki Communication Technologies/CN=server > error 20 at 0 depth lookup:unable to get local issuer certificate. > > Josh Cepek wrote: > >> tomy wrote: >> >>> Hi All, >>> I am currently working on openvpn 2.0.9. While I am running >>> the program (client and server ) an error is getting like VERIFY >>> ERROR: depth=0, error=unable to get local issuer certificate: The >>> keys are generated manually referring >>> http://openvpn.net/index.php/documentation/howto.html . Is there any >>> problem in generating keys manually.I have attached the server and >>> client configuration files. It is working properly for openvpn demo >>> keys with the same client and server configuration. So I doubt some >>> problem with the manual key generation. >>> >>> >> My guess is that the server cert wasn't signed by the same CA that the >> client is referencing. In the howto you linked, you should only run >> the buildca script once and sign all your keys (server and all >> clients) with that same CA. If some of your certificates are signed >> with a different CA it breaks the functionality of a PKI since you can >> no longer determine certificate validity. >> >> You can manually verify if a given certificate was signed by the CA >> represented by the CA's public cert with the following openssl command: >> openssl verify -CAfile ca.crt signed_certificate.crt >> >> If all goes well it should tell you 'OK' during verification. If >> there was a problem with the signature it will show up as the output >> to this command. >> >> >>> The Client and Server logs are given below >>> Client side >>> >>> Wed May 21 16:38:33 2008 us=384440 LZO compression initialized >>> Wed May 21 16:38:33 2008 us=384895 Control Channel MTU parms [ L:1544 >>> D:140 EF:40 EB:0 ET:0 EL:0 ] >>> Wed May 21 16:38:33 2008 us=385096 Data Channel MTU parms [ L:1544 >>> D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] >>> Wed May 21 16:38:33 2008 us=385186 Local Options String: 'V4,dev-type >>> tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,cipher >>> BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' >>> Wed May 21 16:38:33 2008 us=385263 Expected Remote Options String: >>> 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto >>> TCPv4_SERVER,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method >>> 2,tls-server' >>> Wed May 21 16:38:33 2008 us=385378 Local Options hash (VER=V4): >>> '69109d17' >>> Wed May 21 16:38:33 2008 us=385451 Expected Remote Options hash >>> (VER=V4): 'c0103fa8' >>> Wed May 21 16:38:33 2008 us=385530 Attempting to establish TCP >>> connection with 192.168.0.246:1194 >>> Wed May 21 16:38:33 2008 us=386198 TCP connection established with >>> 192.168.0.246:1194 >>> Wed May 21 16:38:33 2008 us=386257 Socket Buffers: R=[87380->131072] >>> S=[16384->131072] >>> Wed May 21 16:38:33 2008 us=386347 TCPv4_CLIENT link local: [undef] >>> Wed May 21 16:38:33 2008 us=386392 TCPv4_CLIENT link remote: >>> 192.168.0.246:1194 >>> WRWed May 21 16:38:33 2008 us=387300 TLS: Initial packet from >>> 192.168.0.246:1194, sid=e28e0b1f 40d6a318 >>> WRWWRRWRRRWWRWRWRRWWRWed May 21 16:38:33 2008 us=445825 VERIFY ERROR: >>> depth=0, error=unable to get local issuer certificate: >>> /C=IN/ST=BANGALORE/O=Kalki_Communication_Technologies/CN=server >>> Wed May 21 16:38:33 2008 us=446074 TLS_ERROR: BIO read >>> tls_read_plaintext error: error:14090086:SSL >>> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed >>> Wed May 21 16:38:33 2008 us=446135 TLS Error: TLS object -> incoming >>> plaintext read error >>> Wed May 21 16:38:33 2008 us=446207 TLS Error: TLS handshake failed >>> Wed May 21 16:38:33 2008 us=446432 Fatal TLS error >>> (check_tls_errors_co), restarting >>> Wed May 21 16:38:33 2008 us=446633 TCP/UDP: Closing socket >>> >>> Server side >>> >>> Wed May 21 16:34:52 2008 us=866997 MULTI: multi_create_instance called >>> Wed May 21 16:34:52 2008 us=867035 Re-using SSL/TLS context >>> Wed May 21 16:34:52 2008 us=867064 LZO compression initialized >>> Wed May 21 16:34:52 2008 us=867203 Control Channel MTU parms [ L:1544 >>> D:140 EF:40 EB:0 ET:0 EL:0 ] >>> Wed May 21 16:34:52 2008 us=867232 Data Channel MTU parms [ L:1544 >>> D:1450 EF:44 EB:135 ET:0 EL:0 AF:3/1 ] >>> Wed May 21 16:34:52 2008 us=867280 Local Options String: 'V4,dev-type >>> tun,link-mtu 1544,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,cipher >>> BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server' >>> Wed May 21 16:34:52 2008 us=867292 Expected Remote Options String: >>> 'V4,dev-type tun,link-mtu 1544,tun-mtu 1500,proto >>> TCPv4_CLIENT,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method >>> 2,tls-client' >>> Wed May 21 16:34:52 2008 us=867336 Local Options hash (VER=V4): >>> 'c0103fa8' >>> Wed May 21 16:34:52 2008 us=867356 Expected Remote Options hash >>> (VER=V4): '69109d17' >>> Wed May 21 16:34:52 2008 us=867387 TCP connection established with >>> 192.168.0.222:47826 >>> Wed May 21 16:34:52 2008 us=867408 Socket Buffers: R=[131072->131072] >>> S=[131072->131072] >>> Wed May 21 16:34:52 2008 us=867423 TCPv4_SERVER link local: [undef] >>> Wed May 21 16:34:52 2008 us=867434 TCPv4_SERVER link remote: >>> 192.168.0.222:47826 >>> WRWed May 21 16:34:52 2008 us=867630 192.168.0.222:47826 TLS: Initial >>> packet from 192.168.0.222:47826, sid=87782ce2 0ecf2c38 >>> WRWRRWWWWRWRWRWWRWRWRWRWWed May 21 16:34:52 2008 us=927653 >>> 192.168.0.222:47826 Connection reset, restarting [-1] >>> Wed May 21 16:34:52 2008 us=927674 192.168.0.222:47826 >>> SIGUSR1[soft,connection-reset] received, client-instance restarting >>> Wed May 21 16:34:52 2008 us=927731 TCP/UDP: Closing socket >>> Wed May 21 16:34:54 2008 us=997532 TCP/UDP: Closing socket >>> >>> The Client and Server configuration is given below >>> >>> Server Configuration >>> >>> port 1194 >>> proto tcp >>> dev tun >>> ca /etc/openvpn/ca.crt >>> cert /etc/openvpn/server.crt >>> key /etc/openvpn/server.key dh /etc/openvpn/dh1024.pem >>> server 10.8.0.0 255.255.255.0 >>> keepalive 10 120 >>> comp-lzo >>> persist-key >>> persist-tun >>> status openvpn-status.log >>> verb 5 >>> >>> Client Configuration >>> >>> client >>> dev tun >>> proto tcp >>> remote 192.168.0.246 1194 >>> resolv-retry infinite >>> nobind >>> ca /etc/openvpn/ca.crt >>> cert /etc/openvpn/client.crt >>> key /etc/openvpn/client.key >>> comp-lzo >>> verb 5 >>> >>> >>> > > |