OpenVPN: Create Client File with embeded or inline certificates

2

I have read everything I can find on the Web, and I am having trouble creating a client file which works.

I am using Tunnelblick on my iMac as a client and have successfully imported an .ovpn file with something like the following:

client
dev tun
proto tcp
remote [ip-address] 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca [inline]
cert [inline]
key [inline]

comp-lzo
verb 3

#   ca ca.crt
<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>

#   cert imac.crt
<cert>
-----BEGIN REQUEST-----

-----END REQUEST-----
</cert>

#   key imac.key
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>

The [ip address] is a real ip address. The client is called imac, and I have comments where I think the appropriate data should come from.

The data was generated using easy-rsa, which generates the files, imac.key, imac.crt and imac.cert.

As I said, Tunnelblick successfully imports it, but when I try to connect I get the following messages:

OpenSSL: error:0906D06C:PEM routines:PEM_read_bio:no start line
OpenSSL: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib

What do I do to get this to work?

Manngo

Posted 2017-09-12T06:34:19.810

Reputation: 161

SuperUser comes to mind. Also: Did you try native Tunnelblick configs, .tlbk? – gf_ – 2017-09-12T08:20:47.277

@gf_ I haven’ tried .tlbk. Isn’t that just a folder with an .ovpn file inside? – Manngo – 2017-09-12T08:25:29.620

@gf_ I’ll ask the question on SuperUser, and then delete it from here. Thanks – Manngo – 2017-09-12T08:26:43.540

If I read the docs correctly, it's one file with all stuff inside, but I could be wrong on that.

– gf_ – 2017-09-12T08:37:58.860

By my reading of openvpn(8), inline files shouldn't have a separate crt [inline] option, just the tag-enclosure. – womble – 2017-09-13T04:09:46.237

@womble Thanks for that. I have removed those lines. – Manngo – 2017-09-13T04:45:54.363

Answers

2

#   cert imac.csr
<cert>
-----BEGIN CERTIFICATE REQUEST-----

-----END CERTIFICATE REQUEST-----

That is wrong. That needs to be your certificate not the signing request. The signing request never gets used after the certificate is generated and can usually be deleted.

Zoredache

Posted 2017-09-12T06:34:19.810

Reputation: 18 453

Thanks for the answer. I’ll get back in a few minutes after I’ve done some more research on getting the certificate. – Manngo – 2017-09-12T07:05:30.090

I have rebuilt everything and copied the new data, including the imac.crt certificate across, but I am still getting the same issue. I have also edited the question to reflect your correction. – Manngo – 2017-09-12T07:55:22.060

You've still got a CSR in there. – womble – 2017-09-13T04:08:13.733

Thanks for the answer. The rest of the problems were due to the mess I had created in trying to get it all to work. I started again, and it’s all just fine. – Manngo – 2017-09-13T04:47:09.043

Asked: 2017-09-12T06:34:19.810

Viewed: 5 009 times

Active: 2017-09-18T17:23:11.057