[Nottingham] Checking cert chains and configuring OpenSSL
Jason Irwin
jasonirwin73 at gmail.com
Tue Oct 30 17:35:51 UTC 2018
I have been following this wiki guide to set-up OpenVPN on OpenWRT:
https://openwrt.org/docs/guide-user/services/vpn/openvpn/comprehensive
They have a section on how to set-up OpenSSL:
https://openwrt.org/docs/guide-user/services/vpn/openssl-pki
Now I swear I have worked through this three times, each time following the exact steps but when I start OpenVPN I see this error:
OpenSSL: error:0B07C065:lib(11):func(124):reason(101)
Cannot add certificate to certificate chain (X509_STORE_add_cert)
openvpn(vpnserver)[16175]: Exiting due to fatal error
OK, some *something* is up with the keychain I guess. A quick spam of things into OpenSSL verify....
# openssl verify -verbose -CAfile ca/OpenWrt-CA.crt.pem ca/OpenVPN-ICA.crt.pem ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem certs/vpn-server.crt.pem
ca/OpenVPN-ICA.crt.pem: OK
ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem: OK
certs/vpn-server.crt.pem: C = XX, ST = XX, CN = XX
error 20 at 0 depth lookup:unable to get local issuer certificate
Well...that's a bit strange, but the vpn-server cert wasn't signed by the CA, it was signed by the ICA-Chain...
# openssl verify -verbose -CAfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem certs/vpn-server.crt.pem
certs/vpn-server.crt.pem: OK
So if the vpn-server cert is OK, why on Earth is OpenVPN getting that x509 error? Can't OpenSSL find the CA, ICA and chain at runtime? Is the "openssl.cnf" telling it to look in the wrong place? (There's nothing in the OpenVPN file about where the signing cert lives).
Or could I have messed up the index file? The CA did have a weird Serial Number...
Fundamentally I cannot figure out where I (or the guide) are wrong.
Any ideas?
--
╔═════════════╦═════════════════════════════════════════════╗
║ Jason Irwin ║ OpenPGP (GPG/PGP) Public Key: 0xD0C592B1 ║
║ ║ Import from hkp://pgp.mit.edu ║
║ ║ Follow me https://social.irrwitz.com/@jason ║
╚═════════════╩═════════════════════════════════════════════╝
More information about the Nottingham
mailing list