[Nottingham] Checking cert chains and configuring OpenSSL

Jason Irwin jasonirwin73 at gmail.com
Tue Oct 30 17:35:51 UTC 2018

I have been following this wiki guide to set-up OpenVPN on OpenWRT:

They have a section on how to set-up OpenSSL:

Now I swear I have worked through this three times, each time following the exact steps but when I start OpenVPN I see this error:
    OpenSSL: error:0B07C065:lib(11):func(124):reason(101)
    Cannot add certificate to certificate chain (X509_STORE_add_cert)
    openvpn(vpnserver)[16175]: Exiting due to fatal error

OK, some *something* is up with the keychain I guess. A quick spam of things into OpenSSL verify....
    # openssl verify -verbose -CAfile ca/OpenWrt-CA.crt.pem ca/OpenVPN-ICA.crt.pem ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem certs/vpn-server.crt.pem 
    ca/OpenVPN-ICA.crt.pem: OK
    ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem: OK
    certs/vpn-server.crt.pem: C = XX, ST = XX, CN = XX
    error 20 at 0 depth lookup:unable to get local issuer certificate

Well...that's a bit strange, but the vpn-server cert wasn't signed by the CA, it was signed by the ICA-Chain...
    # openssl verify -verbose -CAfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem certs/vpn-server.crt.pem
    certs/vpn-server.crt.pem: OK

So if the vpn-server cert is OK, why on Earth is OpenVPN getting that x509 error? Can't OpenSSL find the CA, ICA and chain at runtime? Is the "openssl.cnf" telling it to look in the wrong place? (There's nothing in the OpenVPN file about where the signing cert lives).

Or could I have messed up the index file? The CA did have a weird Serial Number...

Fundamentally I cannot figure out where I (or the guide) are wrong.

Any ideas?

║ Jason Irwin ║ OpenPGP (GPG/PGP) Public Key: 0xD0C592B1    ║
║             ║ Import from hkp://pgp.mit.edu               ║
║             ║ Follow me https://social.irrwitz.com/@jason ║

More information about the Nottingham mailing list