OpenVpn and no server certificate verification method


(Mark Edworthy) #1

Hi, I have set up openVPN (bridge / tap mode) and installed the clients crt, p12, pem and ovpn files on a workstation (external of my network - am connecting via dynamic DNS), now when I try to connect the workstation, I receive a couple of errors;

1st error message – "Warning: no server certificate verification method has been enabled."
2nd error – " Cannot load inline certificate file: error:0906D06C:PEM routines:PEM_read_bio;no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib "

Has anybody any idea why this is not working?


OpenVPN with Nethserver howto?
(Mark Edworthy) #2

I have just checked and found out that the pkcs12 (p12) file contains nothing (0 bytes) and when looking in the ovpn, the file contains the ca and key but nothing within the < cert > section.


(Mark Edworthy) #3

To give people an idea of my problem, I am including a sample ovpn file in this post.
Please note the retracted information and lack of cert information.


(Mark Edworthy) #4

I have just checked an found that both the users p12 and crt files (/var/lib/nethserver/certs/) contains no information (0 bytes).


(Mark Edworthy) #5

For the moment, I have set NS to accept user names/passwords (and CA) only.
I think for my use, it will be easier not to create certificates for each individual user.


(Giacomo Sanchietti) #6

This is odd.
Can you search inside @/var/log/messages@ for any error?


(Mark Edworthy) #7

@giacomo, I will check the messages a bit later.

Question, I have multiple users that use one terminal / (MS Win) Desktop account and am thinking about security over openVPN, I can see that it would cause more problems / need more end-user training if there where more then one user certificate per Desktop session.

So, is there a way of securing authentication where users used a shared certificate / authentication method (eg. using a PSK key) rather then relying on name / passwords alone?


(Mark Edworthy) #8

@giacomo, here is a transcript of the messages log, I have created a user (guest01) and have associated with openVPN (certificates only):

May 8 22:39:50 server kernel: br0: port 2(tap0) entering forwarding state
May 8 22:40:05 server /sbin/e-smith/db[23897]: /var/lib/nethserver/db/accounts: OLD guest01=user|City||Company||Department||FirstName|Guest|LastName|01|MailStatus|disabled|PhoneNumber||Samba|disabled|Shell|/usr/libexec/openssh/sftp-server|Street||Uid|5014|VPNClientAccess|no|VPNRemoteNetmask||VPNRemoteNetwork||__state|active
May 8 22:40:05 server /sbin/e-smith/db[23897]: /var/lib/nethserver/db/accounts: NEW guest01=user|City||Company||Department||FirstName|Guest|LastName|01|MailStatus|disabled|PhoneNumber||Samba|disabled|Shell|/usr/libexec/openssh/sftp-server|Street||Uid|5014|VPNClientAccess|yes|VPNRemoteNetmask||VPNRemoteNetwork||__state|active
May 8 22:40:05 server httpd-admin: [ERROR] NethServer\Module\VPN\Accounts\Modify: /usr/bin/sudo /usr/libexec/nethserver/pki-vpn-gencert guest01 failed
May 8 22:40:05 server esmith::event[23906]: Event: nethserver-vpn-save
May 8 22:40:05 server esmith::event[23906]: expanding /etc/openvpn/host-to-net.conf
May 8 22:40:05 server esmith::event[23906]: Action: /etc/e-smith/events/actions/generic_template_expand SUCCESS [0.127612]
May 8 22:40:05 server esmith::event[23906]: Action: /etc/e-smith/events/nethserver-vpn-save/S20nethserver-openvpn-delserver SUCCESS [0.055206]
May 8 22:40:06 server esmith::event[23906]: Action: /etc/e-smith/events/nethserver-vpn-save/S30nethserver-ipsec-synchronize-l2tpusers SUCCESS [0.444968]
May 8 22:40:06 server esmith::event[23906]: Action: /etc/e-smith/events/nethserver-vpn-save/S30nethserver-openvpn-net2net SUCCESS [0.072409]
May 8 22:40:06 server esmith::event[23906]: [INFO] service openvpn restart
May 8 22:40:06 server esmith::event[23906]: Shutting down openvpn: Fri May 8 22:40:06 2015 TUN/TAP device tap0 opened
May 8 22:40:06 server kernel: br0: port 2(tap0) entering disabled state
May 8 22:40:07 server kernel: device tap0 left promiscuous mode
May 8 22:40:07 server kernel: br0: port 2(tap0) entering disabled state
May 8 22:40:07 server esmith::event[23906]: Fri May 8 22:40:07 2015 Persist state set to: OFF
May 8 22:40:07 server esmith::event[23906]: [ OK ]#015
May 8 22:40:08 server ntpd[2461]: Deleting interface #14 tap0, (mac address redacted)#123, interface stats: received=0, sent=0, dropped=0, active_time=30 secs
May 8 22:40:08 server ntpd[2461]: peers refreshed
May 8 22:40:09 server esmith::event[23906]: Starting openvpn: Fri May 8 22:40:09 2015 TUN/TAP device tap0 opened
May 8 22:40:09 server esmith::event[23906]: Fri May 8 22:40:09 2015 Persist state set to: ON
May 8 22:40:09 server kernel: device tap0 entered promiscuous mode
May 8 22:40:09 server kernel: br0: port 2(tap0) entering forwarding state
May 8 22:40:09 server esmith::event[23906]: [ OK ]#015
May 8 22:40:09 server esmith::event[23906]: [INFO] openvpn restart
May 8 22:40:09 server esmith::event[23906]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [2.775868]
May 8 22:40:09 server esmith::event[23906]: Event: nethserver-vpn-save SUCCESS
May 8 22:40:12 server ntpd[2461]: Listen normally on 15 tap0 (mac address redacted) UDP 123
May 8 22:40:12 server ntpd[2461]: peers refreshed

I am still getting 0 bytes on p12 and crt files.


(Giacomo Sanchietti) #9

Yes, the most secure authentication schema is the certificate (RSA private/public key).

Here is the error.
Login to a shell and, as a root user, execute:

/usr/libexec/nethserver/pki-vpn-gencert guest01

Any error reported?
Otherwise we need to modify the script to output something more.