0

The error message is clear enough. Some cert data isn't valid. But the debugging data provided seems a bit meager to me. How do I find cert 128? What is confusing is this file is up to date, so this bug cannot be unique to me, yet I don't find these error message in searches.

uname -a FreeBSD peets 11.0-RELEASE-p9 FreeBSD 11.0-RELEASE-p9 #0: Tue Apr 11 08:48:40 UTC 2017     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64


Jul  1 00:25:37 peets openvpn[57897]: OpenVPN 2.4.3 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jun 24 2017
Jul  1 00:25:37 peets openvpn[57897]: library versions: OpenSSL 1.0.2k-freebsd  26 Jan 2017, LZO 2.10
Jul  1 00:25:37 peets openvpn[57898]: Diffie-Hellman initialized with 4096 bit key
Jul  1 00:25:37 peets openvpn[57898]: Cannot load CA certificate file /usr/local/share/certs/ca-root-nss.crt (entry 128 did not validate)
Jul  1 00:25:37 peets openvpn[57898]: Cannot load CA certificate file /usr/local/share/certs/ca-root-nss.crt (only 169 of 170 entries were valid X509 names)
Jul  1 00:25:37 peets openvpn[57898]: Exiting due to fatal error
gariac
  • 46
  • 1
  • 7
  • You can extract entry 128 using perl one-liner: `perl -lne '$n++ if /BEGIN CERTIFICATE/; print if (/BEGIN CERTIFICATE/../END CERTIFICATE/) && $n == 128' /usr/local/share/certs/ca-root-nss.crt` and then check it using `openssl x509` – citrin Jul 01 '17 at 03:27
  • That did the trick. It was the startcom cert. For anyone using this as a reference, you do need to back up to the end of the previous cert to start deleting lines. Very obvious once you have the file open. Thanks a bunch.Additional info is Startcom is part of WoSign and that should ring a bell. They were issuing certs based on subdomains in a manner that could be hacked to issue certs to just about any domain. – gariac Jul 01 '17 at 06:11

0 Answers0