jueves, 27 de julio de 2017

Solución problemas OpenVPN y certificados VERIFY ERROR en Centos 7

[CentOS7:OpenVPN] VERIFY ERROR: depth=0, error=certificate signature failure

Problems

  • On CentOS 7, OpenVPN failes to make a connection to VPN.
  • OpenVPN conf used to work on CentIS 6.5

Errors

Sat Aug 30 10:52:03 2014 OpenVPN 2.3.2 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Feb 14 2014
Sat Aug 30 10:52:06 2014 VERIFY OK: depth=1, C=XX, ST=XX, L=MYTOWN, O=OpenVPN-Myprovider, CN=vpn.server.com, emailAddress=admin@vpn.server.com
Sat Aug 30 10:52:06 2014 VERIFY ERROR: depth=0, error=certificate signature failure: C=XX, ST=MYTOWN, O=OpenVPN-Myprovider, CN=vpn.server.com, emailAddress=admin@vpn.server.com
Sat Aug 30 10:52:06 2014 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sat Aug 30 10:52:06 2014 TLS Error: TLS object -> incoming plaintext read error
Sat Aug 30 10:52:06 2014 TLS Error: TLS handshake failed
Sat Aug 30 10:52:06 2014 SIGUSR1[soft,tls-error] received, process restarting

Why this happened?

The certificate used for OpenVPN is encrypted with MD5 and SHA1, but CentOS 7 doesn’t support it as default.

How to resolve this problem?

There are two possible solution,
  1. Generate a certificate without using MD5
  2. Enable MD5 support on CentOS 7

How to enable MD5 support on CentOS 7?

  • Temporally enable it.
export NSS_HASH_ALG_SUPPORT=+MD5
export OPENSSL_ENABLE_MD5_VERIFY=1
  •  Enable MD5 support through NetworkManager
$ sudo vim /usr/lib/systemd/system/NetworkManager.service
Append this.
[Service]
Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5"
And restart daemon
$ sudo systemctl daemon-reload
$ sudo systemctl restart NetworkManager.service


Fuente original: https://www.centos.org/forums/viewtopic.php?t=47210
I too ran into this problem, but I was not running NetworkManager so I did it (very) slightly differently.

I edited /usr/lib/systemd/system/openvpn-client@.service and added the "Environment" line to the "[Service]" section.

This way, only OpenVPN has the extra environment variables set.

My thanks for working out how to do this and yes the OpenVPN setup is scheduled to be upgraded. Adding the CentOS 7 system is the first step in that process.


#vi /usr/lib/systemd/system/openvpn-client@.service






------------------------------------- ESTO ERA LO DE ANTES -------
It took me a while to figure out why OpenVPN trough NetworkManager was not working on CentOS 7 with old MD5 certificates but I found a solution.

in:
/usr/lib/systemd/system/NetworkManager.service

CODE: SELECT ALL

[Service]
Environment="OPENSSL_ENABLE_MD5_VERIFY=1 NSS_HASH_ALG_SUPPORT=+MD5"


systemctl daemon-reload
systemctl restart NetworkManager.service

The relevant error messages were:

nm-openvpn TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed


and on openssl verify -CAfile ca.pem cert.pem
error 7 at 0 depth lookup:certificate signature failure
139819312576416:error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm:a_verify.c:179: