Thursday, March 23, 2017

OpenVPN: unable to get local issuer certificate

I was running into the below issue after updating my server certificate on my OpenVPN server:

Wed Mar 22 10:05:14 2017 us=60205 VERIFY ERROR: depth=1, error=unable to get local issuer certificate: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Wed Mar 22 10:05:14 2017 us=60205 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Wed Mar 22 10:05:14 2017 us=61205 TLS_ERROR: BIO read tls_read_plaintext error

Broader log:

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Wed Mar 22 10:05:12 2017 us=848205 Local Options String: 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-client'
Wed Mar 22 10:05:12 2017 us=848205 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1604,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA512,keysize 256,tls-auth,key-method 2,tls-server'
Wed Mar 22 10:05:12 2017 us=848205 Local Options hash (VER=V4): 'XXXXXXXX'
Wed Mar 22 10:05:12 2017 us=848205 Expected Remote Options hash (VER=V4): 'XXXXXXXX'
Wed Mar 22 10:05:12 2017 us=848205 Attempting to establish TCP connection with [AF_INET]A.B.C.D:1200 [nonblock]
Wed Mar 22 10:05:12 2017 us=848205 MANAGEMENT: >STATE:1490173512,TCP_CONNECT,,,
Wed Mar 22 10:05:13 2017 us=849205 TCP connection established with [AF_INET]A.B.C.D:1200
Wed Mar 22 10:05:13 2017 us=849205 TCPv4_CLIENT link local: [undef]
Wed Mar 22 10:05:13 2017 us=849205 TCPv4_CLIENT link remote: [AF_INET]A.B.C.D:1200
Wed Mar 22 10:05:13 2017 us=849205 MANAGEMENT: >STATE:1490173513,WAIT,,,
Wed Mar 22 10:05:13 2017 us=909205 MANAGEMENT: >STATE:1490173513,AUTH,,,
Wed Mar 22 10:05:13 2017 us=909205 TLS: Initial packet from [AF_INET]A.B.C.D:1200, sid=bb2bb206 e079c6ed
Wed Mar 22 10:05:14 2017 us=60205 VERIFY ERROR: depth=1, error=unable to get local issuer certificate: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA
Wed Mar 22 10:05:14 2017 us=60205 OpenSSL: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Wed Mar 22 10:05:14 2017 us=61205 TLS_ERROR: BIO read tls_read_plaintext error
Wed Mar 22 10:05:14 2017 us=61205 TLS Error: TLS object -> incoming plaintext read error
Wed Mar 22 10:05:14 2017 us=61205 TLS Error: TLS handshake failed

The root cause was that the root certificate AND intermediate certificate have to be added into the client's configuration file.

So this has to look like this to work properly:
?
1
2
3
4
5
6
7
8
<ca>
-----BEGIN CERTIFICATE-----
YOUR ROOT CERTIFICATE
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
YOUR INTERMEDIATE CERTIFICATE
-----END CERTIFICATE-----
</ca>


Posted at
Labels: , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)