Home / server / Questions / 619402
In Process
Philip Couling
Asked: 2014-08-11 10:57:17 +0800 CST

How to set up an OpenVPN server to accept server certificates as clients

  • 772

I'm setting up a LAN to LAN VPN using openvpn. For reasons of easy certificate management I wish to re-use the server certificates which already exist on each host. I've set in the config file remote-cert-tls server but this still errors:

Sun Aug 10 19:33:45 2014 176.126.242.99:37837 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=GB, ST=x, L=x, O=x x, OU=x, CN=x.x.x
Sun Aug 10 19:33:45 2014 176.126.242.99:37837 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sun Aug 10 19:33:45 2014 176.126.242.99:37837 TLS Error: TLS object -> incoming plaintext read error
Sun Aug 10 19:33:45 2014 176.126.242.99:37837 TLS Error: TLS handshake failed

The client certificates are of the form:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 16 (0x10)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=y, ST=y, L=y, O=y y, OU=y, CN=y
        Validity
            Not Before: Aug  9 13:23:53 2014 GMT
            Not After : Aug  9 13:23:53 2015 GMT
        Subject: C=x, ST=x, L=x, O=x, OU=x, CN=x
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Comment:
                Signed by y y
            X509v3 Subject Key Identifier:
                ...
            X509v3 Subject Alternative Name:
                DNS:x.x.x
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            X509v3 Authority Key Identifier:
                ...
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection

I'm note clear on exactly which feature of the certificate file is causing the error and what to change in the config file to fix it.

Edit

For additional Detail here's the Server and Client config

server 172.19.1.0 255.255.255.0
local 192.168.10.10
port 1195
proto udp
dev tun

ca /etc/ssl/certs/me.pem
cert /etc/ssl/certs/local/server.crt
key /etc/ssl/private/server.key
dh dh1024.pem

ifconfig-pool-persist ipp.txt

keepalive 60 720
comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status openvpn-status.log
verb 3

and

client
dev tun
proto udp
remote x.x.x 1195
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun

ca /etc/ssl/certs/me.pem
cert /etc/ssl/certs/local/server.crt
key /etc/ssl/private/server.key

ns-cert-type server
comp-lzo
verb 3
openvpn

0 Answers