OpenVPN 2.4.4 (LEDE 17.01.5) exits with error message (Cannot add certificate to certificate chain (X509_STORE_add_cert)

esters · October 20, 2018, 1:19pm

Good day,

I am trying to set up a OpenVPN server on my LEDE router, I have gone through the steps described in the tutorial here - https://openwrt.org/docs/guide-user/services/vpn/openvpn/comprehensive but upon starting the openvpn daemon the following message is seen in the output:

Sat Oct 20 16:13:06 2018 daemon.notice openvpn(MYNETN750)[5277]: OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Sat Oct 20 16:13:06 2018 daemon.notice openvpn(MYNETN750)[5277]: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Sat Oct 20 16:13:06 2018 daemon.warn openvpn(MYNETN750)[5277]: NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Sat Oct 20 16:13:06 2018 daemon.notice openvpn(MYNETN750)[5277]: Diffie-Hellman initialized with 2048 bit key
Sat Oct 20 16:13:06 2018 daemon.notice openvpn(MYNETN750)[5277]: No valid translation found for TLS cipher '!aNULL'
Sat Oct 20 16:13:06 2018 daemon.notice openvpn(MYNETN750)[5277]: No valid translation found for TLS cipher '!eNULL'
Sat Oct 20 16:13:06 2018 daemon.notice openvpn(MYNETN750)[5277]: No valid translation found for TLS cipher '!3DES'
Sat Oct 20 16:13:06 2018 daemon.notice openvpn(MYNETN750)[5277]: No valid translation found for TLS cipher '!MD5'
Sat Oct 20 16:13:06 2018 daemon.notice openvpn(MYNETN750)[5277]: No valid translation found for TLS cipher '!SHA'
Sat Oct 20 16:13:06 2018 daemon.notice openvpn(MYNETN750)[5277]: No valid translation found for TLS cipher '!PSK'
Sat Oct 20 16:13:06 2018 daemon.notice openvpn(MYNETN750)[5277]: No valid translation found for TLS cipher '!DSS'
Sat Oct 20 16:13:06 2018 daemon.notice openvpn(MYNETN750)[5277]: No valid translation found for TLS cipher '!RC4'
Sat Oct 20 16:13:06 2018 daemon.err openvpn(MYNETN750)[5277]: OpenSSL: error:0B07C065:lib(11):func(124):reason(101)
Sat Oct 20 16:13:06 2018 daemon.err openvpn(MYNETN750)[5277]: Cannot add certificate to certificate chain (X509_STORE_add_cert)
Sat Oct 20 16:13:06 2018 daemon.notice openvpn(MYNETN750)[5277]: Exiting due to fatal error

Here is the output of /etc/ssl/openssl.cnf ; /etc/config/openvpn and /etc/ssl (ls -alR) - https://pastebin.com/K533tc77

Much help appreciated!

twistedLucidity · October 23, 2018, 8:41pm

Have you been following this guide as well?
https://openwrt.org/docs/guide-user/services/vpn/openvpn/comprehensive

I thought I had got all the OpenSSL problems resolve, but am now seeing the exact same error as you.
Afraid I don't have an answer yet, but at least you know you are not alone!
My best guess is that I have messed something up with the chain of trust, but am not sure what.
I might delete everything and try again (and this time skip the client config until I am sure the server is working).

Tue Oct 23 21:35:56 2018 daemon.notice openvpn(vpnserver)[21621]: OpenVPN 2.4.5 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD]
Tue Oct 23 21:35:56 2018 daemon.notice openvpn(vpnserver)[21621]: library versions: OpenSSL 1.0.2p  14 Aug 2018, LZO 2.10
Tue Oct 23 21:35:56 2018 daemon.notice openvpn(vpnserver)[21621]: Diffie-Hellman initialized with 2048 bit key
Tue Oct 23 21:35:56 2018 daemon.notice openvpn(vpnserver)[21621]: No valid translation found for TLS cipher '!aNULL'
Tue Oct 23 21:35:56 2018 daemon.notice openvpn(vpnserver)[21621]: No valid translation found for TLS cipher '!eNULL'
Tue Oct 23 21:35:56 2018 daemon.notice openvpn(vpnserver)[21621]: No valid translation found for TLS cipher '!3DES'
Tue Oct 23 21:35:56 2018 daemon.notice openvpn(vpnserver)[21621]: No valid translation found for TLS cipher '!MD5'
Tue Oct 23 21:35:56 2018 daemon.notice openvpn(vpnserver)[21621]: No valid translation found for TLS cipher '!SHA'
Tue Oct 23 21:35:56 2018 daemon.notice openvpn(vpnserver)[21621]: No valid translation found for TLS cipher '!PSK'
Tue Oct 23 21:35:56 2018 daemon.notice openvpn(vpnserver)[21621]: No valid translation found for TLS cipher '!DSS'
Tue Oct 23 21:35:56 2018 daemon.notice openvpn(vpnserver)[21621]: No valid translation found for TLS cipher '!RC4'
Tue Oct 23 21:35:56 2018 daemon.err openvpn(vpnserver)[21621]: OpenSSL: error:0B07C065:lib(11):func(124):reason(101)
Tue Oct 23 21:35:56 2018 daemon.err openvpn(vpnserver)[21621]: Cannot add certificate to certificate chain (X509_STORE_add_cert)
Tue Oct 23 21:35:56 2018 daemon.notice openvpn(vpnserver)[21621]: Exiting due to fatal error

swinder0161 · October 30, 2018, 2:01pm

Hello,

I have the same problem with openwrt-18.06.1.
Someone please help.

Thanks...

vgaetera · October 30, 2018, 4:04pm

If you can't handle Comprehensive guide, you should consider the how-to:

esters · October 30, 2018, 4:24pm

Good evening,

As this issue was getting a bit annoying, I followed the link @vgaetera posted and I was able to set up a OpenVPN server.

twistedLucidity · October 30, 2018, 4:55pm

Ah, good to know that the Basic Guide works.
Did you get any further figuring out what the X509 problem was?

twistedLucidity · October 30, 2018, 7:00pm

I think I found an answer.

JW0914 · November 1, 2018, 12:10am

The issue is the PKCS12 cert likely wasn't created with the CA-ICA Chain cert.

Chain of trust: CA -> ICA -> VPN Server cert.

Certs should be signed with the ICA, with the PKCS12 created with the CA-ICA Chain as the CA.

That being said, the OpenSSL PKI wiki had the concatenation step misfiled under the section for creating the CRL. I corrected this on 10/18, with the step now where it should be as #3 under ICA, and my hunch is this is the root of the issue

esters · November 1, 2018, 2:39pm

@JW0914

Thank you for clarifying these steps! I will try the updated solution.