Last week, testing my RoadWarrior VPN setup I came across some certificate errors. Looking back through the various timestamps I can see what the issue is. But, I’m not sure if this is a bug or just the way it works, so I’ll leave it to the more knowledgeable to decide.
Basically, the VPN server would not validate the client certificate presented. This was because the main server certificate was regenerated after creating the VPN user. The timeline, from memory and timestamps was this (I think)
- Install NS which generates initial server certificate
- Create VPN user, which generates client certificate
- Update Server Certificate to update location information
- Export VPN bundle
The issue being now, that the client certificate in the bundle is the one signed by the original NS install certificate, not the one generated when it was updated to correct the location information. Result is that the client using the exported certificate cannot connect.
Sat Dec 26 15:27:05 2015 192.168.0.42:49971 TLS: Initial packet from [AF_INET]192.168.0.42:49971 (via [AF_INET]192.168.0.254%eth1), sid=d5b6058f 48171534
Sat Dec 26 15:27:05 2015 192.168.0.42:49971 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: C=--, ST=SomeState, L=Hometown, O=Example Org, OU=Main, CN=eddie, emailAddress=admin@nethserver.bogolinux.net
Sat Dec 26 15:27:05 2015 192.168.0.42:49971 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sat Dec 26 15:27:05 2015 192.168.0.42:49971 TLS Error: TLS object -> incoming plaintext read error
Sat Dec 26 15:27:05 2015 192.168.0.42:49971 TLS Error: TLS handshake failed
Sat Dec 26 15:27:05 2015 192.168.0.42:49971 SIGUSR1[soft,tls-error] received, client-instance restarting
Creating a new VPN user and exporting it’s bundle connects correctly.
Also, as I side issue, the following message is output because the CRL is never updated.
Tue Dec 29 11:06:37 2015 166.176.56.221:64978 CRL: CRL /var/lib/nethserver/certs/crl.pem is from a different issuer than the issuer of certificate C=–, ST=Some State, L=Los Angeles, O=BogoLinux Net, OU=SomeDepartment, CN=testvpn, emailAddress=admin@NethServer.BogoLinux.net
Cheers.