OpenVPN on WRT32X – Cannot load certificate file?

matthewjewell · August 27, 2018, 3:51pm

Hi,

I'm following this guide: https://openwrt.org/docs/guide-user/services/vpn/openvpn/server.setup#troubleshooting

...to install OpenVPN on my WRT32X running the latest https://davidc502sis.dynamic-dns.net/releases/

When I try to start openvpn, it fails with /tmp/openvpn.log reading:

Mon Aug 27 15:47:36 2018 library versions: OpenSSL 1.0.2o  27 Mar 2018, LZO 2.10
Mon Aug 27 15:47:36 2018 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Mon Aug 27 15:47:36 2018 OpenSSL: error:0D0C40D8:lib(13):func(196):reason(216)
Mon Aug 27 15:47:36 2018 OpenSSL: error:0D08303A:lib(13):func(131):reason(58)
Mon Aug 27 15:47:36 2018 OpenSSL: error:0D08303A:lib(13):func(131):reason(58)
Mon Aug 27 15:47:36 2018 OpenSSL: error:0D08303A:lib(13):func(131):reason(58)
Mon Aug 27 15:47:36 2018 OpenSSL: error:0906700D:lib(9):func(103):reason(13)
Mon Aug 27 15:47:36 2018 OpenSSL: error:140AD009:lib(20):func(173):reason(9)
Mon Aug 27 15:47:36 2018 Cannot load certificate file /etc/openvpn/my-server.crt

The /etc/openvpn folder has the generated certs, and I can read them fine e.g. using cat /etc/openvpn/my-server.crt

Is there a part of the process I'm missing or a hidden permissions issue perhaps?

Thanks

JW0914 · August 28, 2018, 11:49am

Please perform the troubleshooting steps in the Troubleshooting section you linked to.

jow · August 28, 2018, 11:51am

$ openssl errstr 0D0C40D8
error:0D0C40D8:asn1 encoding routines:c2i_ASN1_OBJECT:invalid object encoding

See if your cert file is corrupted (Windows newlines maybe?) or not in PEM format.

matthewjewell · August 28, 2018, 8:15pm

Small change to server log, unable to start server so no client logs.

Tue Aug 28 20:06:00 2018 us=812080 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x.  Be aware that this might create routing conflicts if you connect to the VPN server from public locations such as internet cafes that use the same subnet.
Tue Aug 28 20:06:00 2018 us=812684 Diffie-Hellman initialized with 2048 bit key
Tue Aug 28 20:06:00 2018 us=813016 OpenSSL: error:0D0C40D8:lib(13):func(196):reason(216)
Tue Aug 28 20:06:00 2018 us=813076 OpenSSL: error:0D08303A:lib(13):func(131):reason(58)
Tue Aug 28 20:06:00 2018 us=813126 OpenSSL: error:0D08303A:lib(13):func(131):reason(58)
Tue Aug 28 20:06:00 2018 us=813175 OpenSSL: error:0D08303A:lib(13):func(131):reason(58)
Tue Aug 28 20:06:00 2018 us=813226 OpenSSL: error:0906700D:lib(9):func(103):reason(13)
Tue Aug 28 20:06:00 2018 us=813274 OpenSSL: error:140AD009:lib(20):func(173):reason(9)
Tue Aug 28 20:06:00 2018 us=813316 Cannot load certificate file /etc/openvpn/my-server.crt
Tue Aug 28 20:06:00 2018 us=813356 Exiting due to fatal error

matthewjewell · August 28, 2018, 8:17pm

PEM, created directly on the router following those instructions.

file my-server.crt
my-server.crt: ASCII text

root@WRT32X:~# openssl x509 -in /etc/openvpn/my-server.crt -text -noout
unable to load certificate
3069179080:error:0D0C40D8:lib(13):func(196):reason(216):NA:0:
3069179080:error:0D08303A:lib(13):func(131):reason(58):NA:0:Field=algorithm, Type=X509_ALGOR
3069179080:error:0D08303A:lib(13):func(131):reason(58):NA:0:Field=signature, Type=X509_CINF
3069179080:error:0D08303A:lib(13):func(131):reason(58):NA:0:Field=cert_info, Type=X509
3069179080:error:0906700D:lib(9):func(103):reason(13):NA:0:

JW0914 · September 3, 2018, 6:26am

Try removing and reinstalling openssl-utils and openvpn-openssl (incl. libustream-openssl), as I had a similar issue months ago on my WRT1900ACS and it ended up being an issue with the openssl package i had compiled.

The OpenVPN Server (Basic) wiki generates certs properly, so this is definitely an issue with your WRT32X/environment.

If the above doesn't work, I'd be curious if the same result is had when using the most recent snapshot image or LEDE 17.01.5

To rule out if it's an error with malformed certs or the reading of the certs, try creating all the certs on a PC and transfer them to the router.

lantis1008 · September 3, 2018, 7:50am

Just as a data point. I can and have generated plenty of certs on my WRT32X.

synergy · September 6, 2018, 2:23am

I have the same router and build and OpenVPN works fine for me.

I was having the same sort of issue, but with a different error code as I had placed my certs in the wrong folder.

Try building your PKI/certs from scratch on a different computer.

matthewjewell · October 12, 2018, 3:26pm

Hi, just to update anyone finding this thread – came back to it after a reset to default settings, and it worked first time. Not sure what I had done in the history of the previous install to cause a problem, but nonetheless resolved now.

system · October 22, 2018, 3:27pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.