Есть рабочая инфраструктура, состоящая из нескольких серверов OpenVPN и некоторого числа клиентов (Windows, Linux и Android).
Клиентские файлы конфигурации для различных платформ выглядят практически одинаково, за исключением мелких архитектурных особенностей каждой из платформ.
Все SSL-сертификаты (серверные и клиентские) для подключения подписаны одним собственным центром сертификации.
Описанная инфраструктура прекрасно работала до одного момента (примерно конец ноября 2016 г.), затем резко перестали подключаться абсолютно все клиенты под Android. При этом в конфигурацию серверов/клиентов не вносилось никаких изменений. OpenVPN-клиенты на других платформах без проблем продолжают работать.
Ошибка на Android-устройстве при попытке подключения:
OpenVPN server certificate verification failed: PolarSSL: SSL read error: X509 - Certificate verification failed, e.q. CRL, CA or signature check failed.Полная версия лога:
Скриншот
Продолжение
Лог сервера в момент подключения:
Wed Feb 1 22:53:11 2017 us=989593 MULTI: multi_create_instance called
Wed Feb 1 22:53:11 2017 us=989754 Re-using SSL/TLS context
Wed Feb 1 22:53:11 2017 us=989905 LZO compression initialized
Wed Feb 1 22:53:11 2017 us=990087 Control Channel MTU parms [ L:1560 D:168 EF:68 EB:0 ET:0 EL:0 ]
Wed Feb 1 22:53:11 2017 us=990149 Data Channel MTU parms [ L:1560 D:1450 EF:60 EB:135 ET:0 EL:0 AF:3/1 ]
Wed Feb 1 22:53:11 2017 us=991052 Local Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_SERVER,comp-lzo,keydir 0,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-server'
Wed Feb 1 22:53:11 2017 us=991138 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1560,tun-mtu 1500,proto TCPv4_CLIENT,comp-lzo,keydir 1,cipher AES-256-CBC,auth SHA1,keysize 256,tls-auth,key-method 2,tls-client'
Wed Feb 1 22:53:11 2017 us=991187 Local Options hash (VER=V4): '9915e4a2'
Wed Feb 1 22:53:11 2017 us=991226 Expected Remote Options hash (VER=V4): '2f2c6498'
Wed Feb 1 22:53:11 2017 us=991277 TCP connection established with [AF_INET]192.168.0.104:58009
Wed Feb 1 22:53:11 2017 us=991309 TCPv4_SERVER link local: [undef]
Wed Feb 1 22:53:11 2017 us=991340 TCPv4_SERVER link remote: [AF_INET]192.168.0.104:58009
RWed Feb 1 22:53:11 2017 us=991762 192.168.0.104:58009 TLS: Initial packet from [AF_INET]192.168.0.104:58009, sid=d7485053 5ae035e5
WRWRWWWWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRWRW
Wed Feb 1 22:53:12 2017 us=157279 192.168.0.104:58009 Connection reset, restarting [0]
Wed Feb 1 22:53:12 2017 us=157426 192.168.0.104:58009 SIGUSR1[soft,connection-reset] received, client-instance restarting
Wed Feb 1 22:53:12 2017 us=157552 TCP/UDP: Closing socketВерсия OpenVPN-клиента под Android:
OpenVPN Connect 1.1.17 (build 76)
OpenVPN core 3.0.12 android armv7a thumb2 32-bit built on May 24 2016 09:42:05Версия OpenVPN на сервере:
OpenVPN 2.3.6 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Dec 2 2014
library versions: OpenSSL 1.0.1e-fips 11 Feb 2013, LZO 2.03Примечание: данная ошибка возникает и при попытках подключения к серверу с более новой версией.
Если перенести конфигурацию для Android со всеми файлами, сертификатами и т. д. на любую другую платформу — все Ok.
Причем, данная ошибка появилась одномоментно для всех Android-устройств (планшеты, телефоны), подключающихся из разных мест (разные Интернет-провайдеры) к различным серверам (разные хостинги).
На сегодняшний день я так и не нашел причину данной ошибки и путь для ее решения 
Товарищи, коллеги — прошу поделиться любыми мыслями и доводами на этот счет. При необходимости выложу конфигурационные файлы сервера/клиента, или другую интересующую информацию.
So What’s Problem ???
Connect Perfect on Server Default Certificated , But when install Signed Certificated from Rapid SSL , Polar SSL Error , i attach two picture and test OpenVPN Connect and OpenVPN Android , see error and tell me how fixed???
i place OpenVPN config , if you can help me , help me please
PLEASE SOMEONE HELP ME
OpenVPN Config:
###############################################################################
# OpenVPN 2.0 Sample Configuration File
# for PacketiX VPN / SoftEther VPN Server
#
# !!! AUTO-GENERATED BY SOFTETHER VPN SERVER MANAGEMENT TOOL !!!
#
# !!! YOU HAVE TO REVIEW IT BEFORE USE AND MODIFY IT AS NECESSARY !!!
#
# This configuration file is auto-generated. You might use this config file
# in order to connect to the PacketiX VPN / SoftEther VPN Server.
# However, before you try it, you should review the descriptions of the file
# to determine the necessity to modify to suitable for your real environment.
# If necessary, you have to modify a little adequately on the file.
# For example, the IP address or the hostname as a destination VPN Server
# should be confirmed.
#
# Note that to use OpenVPN 2.0, you have to put the certification file of
# the destination VPN Server on the OpenVPN Client computer when you use this
# config file. Please refer the below descriptions carefully.
###############################################################################
# Specify the type of the layer of the VPN connection.
#
# To connect to the VPN Server as a «Remote-Access VPN Client PC»,
# specify ‘dev tun’. (Layer-3 IP Routing Mode)
#
# To connect to the VPN Server as a bridging equipment of «Site-to-Site VPN»,
# specify ‘dev tap’. (Layer-2 Ethernet Bridgine Mode)
dev tun
###############################################################################
# Specify the underlying protocol beyond the Internet.
# Note that this setting must be correspond with the listening setting on
# the VPN Server.
#
# Specify either ‘proto tcp’ or ‘proto udp’.
proto udp
###############################################################################
# The destination hostname / IP address, and port number of
# the target VPN Server.
#
# You have to specify as ‘remote <HOSTNAME> <PORT>’. You can also
# specify the IP address instead of the hostname.
#
# Note that the auto-generated below hostname are a «auto-detected
# IP address» of the VPN Server. You have to confirm the correctness
# beforehand.
#
# When you want to connect to the VPN Server by using TCP protocol,
# the port number of the destination TCP port should be same as one of
# the available TCP listeners on the VPN Server.
#
# When you use UDP protocol, the port number must same as the configuration
# setting of «OpenVPN Server Compatible Function» on the VPN Server.
remote http://www.Mobi.JellyVPN.com 1194
###############################################################################
# The HTTP/HTTPS proxy setting.
#
# Only if you have to use the Internet via a proxy, uncomment the below
# two lines and specify the proxy address and the port number.
# In the case of using proxy-authentication, refer the OpenVPN manual.
;http-proxy-retry
;http-proxy [proxy server] [proxy port]
###############################################################################
# The encryption and authentication algorithm.
#
# Default setting is good. Modify it as you prefer.
# When you specify an unsupported algorithm, the error will occur.
#
# The supported algorithms are as follows:
# cipher: [NULL-CIPHER] NULL AES-128-CBC AES-192-CBC AES-256-CBC BF-CBC
# CAST-CBC CAST5-CBC DES-CBC DES-EDE-CBC DES-EDE3-CBC DESX-CBC
# RC2-40-CBC RC2-64-CBC RC2-CBC
# auth: SHA SHA1 MD5 MD4 RMD160
cipher AES-128-CBC
auth SHA1
###############################################################################
# Other parameters necessary to connect to the VPN Server.
#
# It is not recommended to modify it unless you have a particular need.
resolv-retry infinite
nobind
persist-key
persist-tun
client
verb 3
auth-user-pass
###############################################################################
# The certificate file of the destination VPN Server.
#
# The CA certificate file is embedded in the inline format.
# You can replace this CA contents if necessary.
# Please note that if the server certificate is not a self-signed, you have to
# specify the signer’s root certificate (CA) here.
<ca>
——BEGIN CERTIFICATE——
MIIFMDCCBBigAwIBAgIDEw44MA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTQwNTI2MTE0NTU0WhcNMTUwNTI0MDMzNjU0WjCBxDEpMCcGA1UEBRMgQ3lB
eGxmN3hCOGh5Uk1QSjJVT2gyRXMzRXo3dnRwT3oxEzARBgNVBAsTCkdUMzA2OTE0
ODQxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTQxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMR4wHAYDVQQDExV3d3cubW9iaS5qZWxseXZwbi5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLwHMLbHWygH5LzwS83C8DSYaFY+FRCokT
ImAX49C8JjfH7dL7vWzSOfzgGatQ6kliH09EZLLvjTIvxhwvRtlC7b9CGkN5cQ+l
MprLjQPhlvoCktY3369inMcOWDMxc60glB5/21YBfGI77aM4g9XnOEs3OCoT9uNe
4NKFIrX54Ei0n5wvo4xRe1WvN6vHOOac9RDb4lTcWNDHS/EtnqZFLY/NMJnLsJGP
U13DnV4MQ14Xg6BEPctLrrYZ8zixit/Kejhgyj/W2Xw/u8Jjva0c6MUTO6Ll5vBq
*******
MA0GCSqGSIb3DQEBBQUAA4IBAQCrKMhDnjMAVHutDKnWl8uYHu3hr3qupxrsj44r
JijGehVg7zEFdVBIcM3z39hzlCValQQuzac5CqMUO76eFwVwagBrTA7AaBX8+wLi
H2DCozY9XBlWoLtjA8rZLW6FtIkax2TMSrKF+xqKKSk4kzzWvmG2erCa8N5rlE0V
8J9fXlXH/SE90tU0X7eH6Sgjz8b3koKveQJHUp0j9zOf5xM3co1f6AJUnhJ888/3
/RIET3EA57FSUSXZvWM/ljKidh0ILOng4AftMQ9TcyIfNuDZOqzYXxblzvlR/THX
bQRS39bB2i7XmeJWkJ5rXb4Ts5q6PBeGwBsCnHAHuYgF2Mof
——END CERTIFICATE——
</ca>
###############################################################################
# The client certificate file (dummy).
#
# In some implementations of OpenVPN Client software
# (for example: OpenVPN Client for iOS),
# a pair of client certificate and private key must be included on the
# configuration file due to the limitation of the client.
# So this sample configuration file has a dummy pair of client certificate
# and private key as follows.
<cert>
——BEGIN CERTIFICATE——
MIIDRzCCAi+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBnMRwwGgYDVQQDExMzMzMz
NjA3NzI2NzgyOTg5NzAxMRwwGgYDVQQKExMzMzMzNjA3NzI2NzgyOTg5NzAxMRww
GgYDVQQLExMzMzMzNjA3NzI2NzgyOTg5NzAxMQswCQYDVQQGEwJVUzAeFw0xNDA1
MjcyMDU3MTNaFw0zNjEyMzEyMDU3MTNaMGcxHDAaBgNVBAMTEzMzMzM2MDc3MjY3
ODI5ODk3MDExHDAaBgNVBAoTEzMzMzM2MDc3MjY3ODI5ODk3MDExHDAaBgNVBAsT
EzMzMzM2MDc3MjY3ODI5ODk3MDExCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAqp6bxCB6mWoGjTk26uJvrykw3PzUs/fn+f3dbnFP
****
U1Dbr8UkyT0+4p32ohyZZH909uCc56KRpu8Ro8rUX4NO75Z5GW/jCo3zGbf3sLYv
g1hW0RsnlaaoppYGOghsA5cuLkOy7aDWbH8EprGnVQhRRN8FHMiXh1Uzq6togL7x
I0PD1liWOKCkJwJ4O+xO8Lui/cgLwqhX7kz24jfzu3J9n4Zc0fe+xtn1fd9lJe0f
j8CMaOjXAJREI9iXrsnQXfdBgF4qj5omm4gk
——END CERTIFICATE——
</cert>
<key>
——BEGIN RSA PRIVATE KEY——
MIIEpQIBAAKCAQEAqp6bxCB6mWoGjTk26uJvrykw3PzUs/fn+f3dbnFPqdJDYYqy
6cVyzvrNoND4pmWp7rOWT+TCzxnZ1gwbjOf02Mp0ud0AUheyJKxB/Vjwtv4ycX0U
ZgxumVsOrSdEuvOlgMsiRYOJV8m+GCtbKZ3O7Ic4WqtZQTk9M0jiiGd1DqotC0j7
*****
myy2iuM+D1KzvcgYCeEVwhPQsAzYognA3iix04PFR7QYeFGtk1KeXdZZmwztgTnI
RV5CZK6iqCeaXv9oJ2OuBH/5iniGcCjHcNGNCP5jy0CxVY60bVn1n8k=
——END RSA PRIVATE KEY——
</key>
You do not have the required permissions to view the files attached to this post.
When configuring your SSL certificates on Nginx, it’s not uncommon to see several errors when you try to reload your Nginx configuration, to activate the SSL Certificates.
This post describes the following type of errors:
- PEM_read_bio_X509: ASN1_CHECK_TLEN:wrong tag error
- PEM_read_bio_X509_AUX: Expecting: TRUSTED CERTIFICATE
- SSL_CTX_use_PrivateKey_file: bad base64 decode error
Read on for more details.
Nginx PEM_read_bio_X509: ASN1_CHECK_TLEN:wrong tag error
These kind of errors pop up when your certificate file isn’t valid. The entire error looks like this.
$ service nginx restart
nginx: [emerg] PEM_read_bio_X509("/etc/nginx/ssl/mydomain.tld/certificate.crt") failed (SSL: error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:Type=X509_CINF error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:Field=cert_info, Type=X509 error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib)
You should fix this by beginning to read the SSL certificate info via the CLI. Chances are, OpenSSL will also show you an error, to confirm your SSL certificate isn’t valid.
In the example above, the SSL certificate is in /etc/nginx/ssl/mydomain.tld/certificate.crt, so the following examples continue to use that file.
$ openssl x509 -text -noout -in /etc/nginx/ssl/mydomain.tld/certificate.crt unable to load certificate 139894337988424:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:818:
If that’s your output, you have confirmation: your SSL certificate is corrupt. It’s got unsupported ASCII characters, it’s missing a part, some copy/paste error caused extra data to be present, … Bottom line: your certificate file won’t work.
You can test a few things yourself, like new line issues (linux vs. windows remains a problem). Open the file in binary mode in vi, and if you see ^M at end of every line, you’ve incorrectly got Windows new lines instead of Unix new lines.
$ vi -b /etc/nginx/ssl/mydomain.tld/certificate.crt -----BEGIN CERTIFICATE-----^M MIIFUjCCBDqgAwIBAgIKYsvzdQAAAAAAzTANBgkqhkiG9w0BAQUFADBOMQswCQYD^M ...
Remove all new lines and replace them with “normal” unix new lines (n instead of rn).
If your SSL certificate file contains multiple certificates, like intermediate or CA root certificates, it’s important to check each of them separately. You can check this by counting the «-—-BEGIN CERTIFICATE-—-« lines in the file.
If you’ve got multiple certificates, copy/paste each one to a different file and run the openssl example above. Each should give you valid output from the SSL certificate.
$ grep 'BEGIN CERTIFICATE' /etc/nginx/ssl/mydomain.tld/certificate.crt -----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
The output above shows that the SSL Certificate file contains 3 individual SSL certificates. Copy/paste them all in separate files and validate if they work. If one of them gives you errors, fix that one: find the wrong ASCII characters, fix the new lines, check if you copy/pasted it correctly from your vendor, …
The “nginx: [emerg] PEM_read_bio_X509” error means your Nginx configuration is probably correct, it’s the SSL certificate file itself that is invalid.
Nginx PEM_read_bio_X509_AUX: Expecting: TRUSTED CERTIFICATE
This is an error that is usually resolved very quickly. The certificate file you’re pointing your config to, isn’t a certificate file. At least, not according to Nginx.
$ service nginx configtest
nginx: [emerg] PEM_read_bio_X509_AUX("/etc/nginx/ssl/mydomain.tld/certificate.crt") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /etc/nginx/nginx.conf test failed
This can happen if you’ve accidentally swapped your private key and SSL certificate in either your files, or in the Nginx configuration.
Your Nginx config will contain these kind of lines for its SSL configuration.
ssl_certificate /etc/nginx/ssl/mydomain.tld/certificate.crt; ssl_certificate_key /etc/nginx/ssl/mydomain.tld/certificate.key;
Check if the ssl_certificate file is indeed your SSL certificate and if the ssl_certificate_key is indeed your key. It’s not uncommon to mix these up if you’re in a hurry or distracted and save the wrong contents to the wrong file.
Nginx SSL_CTX_use_PrivateKey_file: bad base64 decode error
Another common error in Nginx configurations is the following one.
$ service nginx configtest
nginx: [emerg] SSL_CTX_use_PrivateKey_file("/etc/nginx/ssl/mydomain.tld/certificate.key") failed (SSL: error:0906D064:PEM routines:PEM_read_bio:bad base64 decode error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib)
nginx: configuration file /etc/nginx/nginx.conf test failed
Note how the Nginx SSL error points to the .key file this time. The problem is with the SSL key, not the SSL certificate.
This error indicates that the private key you pointed your configuration to, doesn’t match the SSL Certificate.
You can validate whether private key and SSL certificate match by calculating their MD5 hash. If they don’t match, you have to find either the right certificate or the right private key file.
One of them is wrong and needs to be replaced. With this error, it’s impossible to know which one is wrong. Your best bet is to read the info from the SSL certificate, determine if that’s the correct SSL certificate (check expiration date, SANs, Common Name, …), and find the matching key (which should have been created when you generated your Certificate Signing Request, CSR).
For SSL key values mismatch issue, it means the private key file does not match the certificate. There are two main reasons.
- key values mismatch in private key, CSR, and certificate file.
- certificate chain order is not correct
Error message:Cannot load SSL private key file. Error: error: 0B080074:x509 certificate routines:X509_check_private_key:key values mismatch.
What is SSL certificate
Server certificates are the most popular type of X.509 certificate. SSL/TLS certificates are issued to hostnames (machine names like ‘ABC-SERVER-02’ or domain names like google.com).
A server certificate is a file installed on a website’s origin server. It’s simply a data file containing the public key and the identity of the website owner, along with other information. Without a server certificate, a website’s traffic can’t be encrypted with TLS.
Technically, any website owner can create their own server certificate, and such certificates are called self-signed certificates. However, browsers do not consider self-signed certificates to be as trustworthy as SSL certificates issued by a certificate authority.
Understanding SSL certificates
How to get a SSL server Certificate
- generate a key pair
- use this key pair to generate a certificate signing request (CSR) that contains the public key and domain name of our website
- upload the request to a certificate authority
- download the certificate and install it on our web server along with the key pair
Verifying Our Keys Match
To verify the public and private keys match, extract the public key from CSR, certificate, Key file and generate a hash output for it.
All three files should share the same public key and the same hash value.
Before we run the verification command:
- Make sure our CSR, certificate, and Key are PEM format. If not then convert them using openssl command
- Check hash of the public key to ensure that it matches with what is in a private key
Use the following commands to generate a hash of each file’s public key:
- openssl pkey -pubout -in private.key | openssl sha256
- openssl req -pubkey -in request.csr -noout | openssl sha256
- openssl x509 -pubkey -in certificate.crt -noout | openssl sha256
Each command will output (stdin)= followed by a string of characters. If the output of each command matches, then the keys for each file are the same.
If we run into a key mismatch error, we need to do one of the following:
- Transfer the private key from the machine used to generate the CSR to the one we are trying to install the certificate on.
- Install the certificate on the machine with the private key.
- Generate an entirely new key and create a new CSR on the machine that will use the certificate.
Check the certificate order
If the server certificate and the bundle have been concatenated in the wrong order, we also get this key values mismatch error. In this case, we need to put the server certificate on top of the certificate file.
- Before (which is wrong) : cat ca_bundle.crt server_certificate.crt > bundle_chained.crt
- After (which is right): cat server_certificate.crt ca_bundle.crt > bundle_chained.crt
Check SSL Certificate Chain with OpenSSL Examples
The working certificate bundle file should look like below.
- server certificate
- intermediate certificate1
- intermediate certificate2 if we have
—–BEGIN server CERTIFICATE—–
MIICC-this-is-the-certificate-that-signed-your-request
-this-is-the-certificate-that-signed-your-request-this
-is-the-certificate-that-signed-your-request-this-is-t
he-certificate-that-signed-your-request-this-is-the-ce
rtificate-that-signed-your-request-A
—–END server CERTIFICATE—–
—–BEGIN intermediate CERTIFICATE—–
MIICC-this-is-the-certificate-that-signed-for-that-one
-this-is-the-certificate-that-signed-for-that-one-this
-is-the-certificate-that-signed-for-that-one-this-is-t
he-certificate-that-signed-for-that-one-this-is-the-ce
rtificate-that-signed-for-that-one-this-is-the-certifi
cate-that-signed-for-that-one-AA
—–END intermediate CERTIFICATE—–
- Exploring SSL Certificate Chain with Examples
- Understanding X509 Certificate with Openssl Command
- OpenSSL Command to Generate View Check Certificate
- Converting CER CRT DER PEM PFX Certificate with Openssl
- SSL vs TLS and how to check TLS version in Linux
- Understanding SSH Key RSA DSA ECDSA ED25519
- Understanding server certificates with Examples