Why don't my certificates match?

3

I'm configuring a VPN with OpenVPN without interfaz, the problem is when I try to connect, it says:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

But I know that is not the problem cause I've tried it even with the firewalls disabled... so, trying to figure it out, I ran:

openssl verify -purpose any -CAfile ca.crt client1.crt

In the server and also in the client, the weird thing is in the server everything's fine, but in the client it says:

error 20 at 0 depth lookup:unable to get local issuer certificate

I've tried with many certificates, and copying them in different ways... I am sure the crt's are the same, and also I've tried it with the complete route and so on...

Could somebody give me a hand with this??

The server is Ubuntu 12.04 and the client is CentOS 6

If any other information is required, please tell me!

poz2k4444

Posted 2013-01-16T23:39:34.393

Reputation: 794

First Check your date and time. – Michael Mantion – 2013-01-17T07:48:38.310

checked, still don't work... @MichaelMantion – poz2k4444 – 2013-01-17T19:36:47.300

Answers

0

What exactly are you trying to achieve? Should the server identify the client by its certificate (client authentication) or the other way around (or both)?

It sounds like the ca.crt is not the same on both machines. Or that intermediate certificates are missing (i.e. your CA certificate was signed by another CA that Ubuntu knows/trusts but CentOS does not).

Are you sure the certificate (client1.crt) is signed with the CA cert (ca.crt) and both files (i.e. client1.crt and ca.crt) are the same on both machines? When you execute

openssl x509 -in client1.crt -noout -text |grep Issuer

you should get the same output (on both machines) as when you do

openssl x509 -in ca.crt -noout -text |grep Subject |head -n1

(check the "CN" attribute).

You might also try

openssl verify -CAfile ca.crt client1.crt

on CentOS (skip the -pupose any part).

Did you check the logs? No hints in there?

If the problem persists and you can/want to share the information, the full output of

openssl x509 -in ca.crt -noout -text
openssl x509 -in client1.crt -noout -text

might be useful.

EDIT: Did you check this page on the OpenVPN internet site? TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

scherand

Posted 2013-01-16T23:39:34.393

Reputation: 259

hey thanks for the answer, well I want the authentication in both sides, just as the manual says is the best... I ran the commands you wrote and the CN is the same... and the certificate is verified in the server but not in the client, same error as the beginning, I won't share the outputs cause I have some delicate information in it, but I assure you it's the same on both outputs... I also want to say that with other box with ubuntu, the VPN works fine... the problem is just with CentOS, even when I disable SELinux... – poz2k4444 – 2013-01-17T22:36:07.257

What is the root CA (e.g. is the "Issuer" and the "Subject" information the same on ca.crt)? Do both systems trust the root CA? Could still be a problem with intermediate and/or root CA certificates, no? – scherand – 2013-01-18T07:20:36.737

For your first two questions the answer is yes... for the third one I'm not sure how to answer... I followed the OpenVPN manual... – poz2k4444 – 2013-01-18T19:05:30.713

and for the edit...yes, I know a little bit on networking so it was the first step I took!! – poz2k4444 – 2013-01-19T02:08:16.500

Asked: 2013-01-16T23:39:34.393

Viewed: 574 times

Active: 2013-01-18T07:24:49.140