1

My server uses it's server certificate when connecting as a client to another server.

  • webserver - server1.mydomain.com
  • openvpnserver - server2.mydomain.com

Server1 is a web server with SSL installed for *.mydomain.com

Server2 is an OpenVPN server I with to connect Server1 to

The Server1 cannot connect to Server2 because it uses it's own *.mydomain.com certificate and NOT the supplied and configured server1.crt when starting the OpenVPN request.

Is there a configuration for when to use the *.mydomain.com cert or when to use the server1.mydomain.com cert? Or maybe I can override this from the OpenVPN client conf?

Log file at OpenVPN server:

Thu Nov 13 08:44:16 2014 us=545958 192.168.1.1:43737 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: CN=*.mydomain.com

Client config:

client
dev tun
proto udp
remote server2.mydomain.com 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca /root/vpn/ca.crt
cert /root/vpn/server1.crt
key /root/vpn/server1.key
ns-cert-type server
tls-auth /root/vpn/ta.key 1
comp-lzo
verb 3
mute 10

I've looked at the certificate again:

sudo openssl x509 -text -noout -in /root/vpn/server1.crt

My issue was stupidity, I've switched two certificates at some point.

Thijs
  • 125
  • 6
  • Could you post your OpenvPN client config (edit it into your question to keep the formatting)? – MadHatter Nov 13 '14 at 11:16
  • added it, don't know if you receive a message when I update something, so, hereby – Thijs Nov 13 '14 at 11:32
  • And this certificate `/root/vpn/server1.crt`: is this the certificate you wish it to use to connect with? – MadHatter Nov 13 '14 at 11:46
  • Yes, that is the one. – Thijs Nov 13 '14 at 11:53
  • Are you sure? Try `openssl x509 -text -noout -in /root/vpn/server1.crt` to be sure. It would also be useful to see the way you're starting openvpn: are you being specific about the config file? – MadHatter Nov 13 '14 at 11:55
  • Shame on me, couple of hours troubleshooting while I had the wrong certificate, so stupid it's classic. Apologies for wasting your time MadHatter, your command to view the cert got me going in the right direction so kudo's to you anyway. – Thijs Nov 13 '14 at 12:13
  • Well, I'm glad we got you fixed up! Hopefully the lesson you'll learn from this is not to regard anything as proven until you've established it yourself - and that is a useful lesson for all sysadmins. If you could accept my answer, that would be kind, and it will stop this question floating around forever like a querulous albatross. – MadHatter Nov 13 '14 at 12:18

1 Answers1

1

So, the right way to use OpenSSL to confirm that you're using the right certificate is:

openssl x509 -text -noout -in /root/vpn/server1.crt

That will let you confirm that the certificate is indeed the one you think it is, or (as in this case) discover that it isn't.

MadHatter
  • 79,770
  • 20
  • 184
  • 232