Hi, on my way to get OpenVPN working in full TLS-mode I always see the following log messages with a fatal error:
My setup includes key/cert issued by Let's Encrypt.
The system-wide CA file itself has been updated only recently:
On OpenVPN-side my config is this (only the relevant parts here):
The interesting thing is that the very key/cert works just fine in combination with nginx. So my conclusion is that key/cert are okay. That brings me to the remainder, the system-wide root CA file. By the looks it is okay, too. Anyone who can help out or solved this thing entirely? Thanks in advance.
Code:
Thu Mar 23 12:13:12 2017 us=189137 OpenVPN 2.4.0 amd64-portbld-freebsd11.0 [SSL (OpenSSL)] [LZO] [LZ4] [MH/RECVDA] [AEAD] built on Jan 3 2017
Thu Mar 23 12:13:12 2017 us=189297 library versions: OpenSSL 1.0.2k-freebsd 26 Jan 2017, LZO 2.09
Thu Mar 23 12:13:12 2017 us=194280 Diffie-Hellman initialized with 4096 bit key
Thu Mar 23 12:13:12 2017 us=278443 Cannot load CA certificate file /etc/ssl/cert.pem (entry 129 did not validate)
Thu Mar 23 12:13:12 2017 us=289302 Cannot load CA certificate file /etc/ssl/cert.pem (only 171 of 172 entries were valid X509 names)
Thu Mar 23 12:13:12 2017 us=289496 Exiting due to fatal error
My setup includes key/cert issued by Let's Encrypt.
The system-wide CA file itself has been updated only recently:
Code:
lrwxr-xr-x 1 root wheel 38 18 Mar 02:14 /etc/ssl/cert.pem -> /usr/local/share/certs/ca-root-nss.crt
On OpenVPN-side my config is this (only the relevant parts here):
Code:
#ca /usr/local/share/certs/ca-root-nss.crt
ca /etc/ssl/cert.pem
cert /var/lib/acme/live/<hostname>/fullchain
key /var/lib/acme/live/<hostname>/privkey
dh /usr/local/etc/openvpn/tls/dh4096.pem
The interesting thing is that the very key/cert works just fine in combination with nginx. So my conclusion is that key/cert are okay. That brings me to the remainder, the system-wide root CA file. By the looks it is okay, too. Anyone who can help out or solved this thing entirely? Thanks in advance.