Struggling to follow the Streamlined OpenSSL/OpenVPN Wiki steps

Version: OpenWrt 18.06.1, r7258-5eb055306f

I am trying to follow the Wiki guide found here: https://wiki.openwrt.org/doc/howto/openvpn-streamlined-server-setup and am starting so seriously struggle with the OpenSSL configs.

Following the first steps, I downloaded openssl.cnf, but I don't understand why it continually makes reference to "Sophos" when I am using OpenWRT; can I remove those entries? Heck, why is it linking to a Windows configuration file?

According to the next sections, I need to name my CA and ICA. What names do I use? A domain name? A random name?

Do I need to be concerned about the "Certificate authority clients" and "Intermediate Certificate authority clients"? If so, what values am I supposed to set there? I only want to generate the certs for OpenVPN, not websites or anything. I also don't follow why there are reference to sophos, freenas etc.

The " Server Cert" says to change my SAN IP and SAN DNS, but to what? The IP of my router as that is my LAN DNS and where OpenVPN is running? Do I need to sign-up for an Internet DDNS service before I can use OpenSSL?

Trying to run the first command here: https://wiki.openwrt.org/doc/howto/openvpn-streamlined-server-setup#tab__commands2 fails with "Error Loading extension section v3_vpn_server" and I certainly don't see anything in "openssl.cnf" that refers to "v3_vpn_server", but I can't see anything in the Wiki about creating this either

Then when I get to the client section, does this really mean "username"? Do I have to somehow create new users on OpenWRT?

Sorry if this all seems too trivial but I thought I understood the general concepts. Maybe it's an indication that I simply shouldn't be trying to set up OpenVPN,

New URL: https://openwrt.org/docs/guide-user/services/vpn/openvpn/comprehensive

The old page is for archival purposes only and does not receive updates any more.

Thanks! That one is a bit easier to follow, but I am still stuck at the "Servers" section where I need to change my SAN IP and DNS; I simply do not understand what I am supposed to change them to.

Do I make the SAN IP and DNS 127.0.0.1 (or 192.168.1.1 or router.domain.local) as those are the IPs.name of the router where OpenVPN and Dnsmasq are running; or are they meant to be something else?

You should consider OpenVPN Basic guide:

1 Like

Thanks. I think I have it figured out with the Comprehensive, but if that fails I'll switch to the Basic.

Gah! So close! But an error in the logs...

Tue Oct 23 21:35:56 2018 daemon.err openvpn(vpnserver)[21621]: OpenSSL: error:0B07C065:lib(11):func(124):reason(101)
Tue Oct 23 21:35:56 2018 daemon.err openvpn(vpnserver)[21621]: Cannot add certificate to certificate chain (X509_STORE_add_cert)
Tue Oct 23 21:35:56 2018 daemon.notice openvpn(vpnserver)[21621]: Exiting due to fatal error

I must have missed/messed a step with the SSL stuff. Think I'll try it once again...

Please follow the Troubleshooting section.

I'll also echo @vgaetera's advice above regarding the OpenVPN Basic wiki.

  • The basic wiki is intended to get the user up and running as quickly as possible, without having to have them understand the intricacies of configuring OpenVPN and generating certs via OpenSSL directly.

  • The OpenVPN Comprehensive wiki is intended for the user who wants to understand what each granular step in the process does, how to tune the configuration, and who has the time to thoroughly read the wiki and reference the linked to wikis mentioned throughout the Comprehensive wiki.

Also, in case you've been working from the Comprehensive wiki over the past day or more, I've updated a few things in the wiki:

  • I removed TLS-Auth and replaced it with TLS-Crypt.
    • Client Config(s):
      1. Change xml tag <tls-auth> to <tls-crypt>
      2. Remove key-direction 1
    • Server Config:
      1. Change tls_auth '/etc/ssl/openvpn/tls-auth.key 0'
        to
        tls_crypt '/etc/ssl/openvpn/tls-crypt.key'
        • The key's contents doesn't change, only it's name
1 Like

I've just gone through the process again, I swear I followed every instruction exactly as it was written but I still get this error:

Tue Oct 30 15:51:50 2018 daemon.err openvpn(vpnserver)[13679]: OpenSSL: error:0B07C065:lib(11):func(124):reason(101)
Tue Oct 30 15:51:50 2018 daemon.err openvpn(vpnserver)[13679]: Cannot add certificate to certificate chain (X509_STORE_add_cert)
Tue Oct 30 15:51:50 2018 daemon.notice openvpn(vpnserver)[13679]: Exiting due to fatal error`

I am not sure at what point I made a mistake, somewhere in OpenSSL? Seems I am not the only one.

I've been through the troubleshooting section, but couldn't find anything on that error.
I'm going to give up on the comprehensive guide and try the basic, see if I can get that to work.

Before I delete everything, I thought I'd try and verify the certs, but I must be making an error with the VPN Server cert:

openssl verify -verbose -CAfile ca/OpenWrt-CA.crt.pem ca/OpenVPN-ICA.crt.pem ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem certs/vpn-server.crt
.pem 
ca/OpenVPN-ICA.crt.pem: OK
ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem: OK
certs/vpn-server.crt.pem: C = XX, ST = XX, CN = XX
error 20 at 0 depth lookup:unable to get local issuer certificate

So I guess that explains why it won't load the p12 at run time; I just have no idea what could possibly be wrong. Yes, I did run "cat ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem >> certs/vpn-server.crt.pem"! :slight_smile:

Edit: hmm...but this is OK

# openssl verify -verbose -CAfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem certs/vpn-server.crt.pem
certs/vpn-server.crt.pem: OK

I got it to start by this adding to /etc/config/openvpn:

'Option ca /etc/ssl/ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem'

Have I just configured OpenVPN in an insecure way, or is there a disconnect between the two parts of the Wiki?

The issue is the PKCS12 cert likely wasn't created with the CA-ICA Chain cert.

  • Chain of trust: CA -> ICA -> VPN Server cert.

Certs should be signed with the ICA, with the PKCS12 created with the CA-ICA Chain as the CA.

  • That being said, the OpenSSL PKI wiki had the concatenation step misfiled under the section for creating the CRL. I corrected this on 10/18, with the step now where it should be as #3 under ICA, and my hunch is this is the root of the issue

openssl verify -verbose -CAfile ca/OpenWrt-CA.crt.pem ca/OpenVPN-ICA.crt.pem ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem certs/vpn-server.crt.pem

should likely be:

openssl verify -verbose -CAfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem certs/vpn-server.crt.pem

Pretty sure I did the concatenation step at the right time (as I remember doing it) and I am also pretty sure the only cert signed with the CA is the ICA one.

I just re-exported with p12 with the following (as per the OpenVPN wiki) and am back to getting the X509 error.

openssl pkcs12 -export -out openvpn/vpn-server.p12 -inkey openvpn/vpn-server.key.pem \
  -in certs/vpn-server.crt.pem -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem

As soon as I add 'option ca', that problem goes away. I completely understand that somewhere the chain of trust is broken, I just can't see where. I'll go back and re-do everything again from the the top, but I am pretty sure I followed both wikis exactly as they have been written.

One minor point, below the section on exporting the p12 in the OpenVPN wiki I think it should warn you to not set an export phrase (this warning is present in the OpenSSL wiki under "Servers", point 4).

After three further attempts I am sorry to confirm that all I get is a X509 error unless I use 'option ca'.

I took a glance through the Basic scripts for in the hope it would show me where I or the instructions are wrong, I'd didn't see much but the differences in configuration made if harder to spot anything. I did note it is also using 'option ca' but as I said, the configuration is rather different.

Something is wrong with your certs then, as ca should not be specified with pkcs12 since the CA is included within the PKCS12 cert.

  • Please post the ICA chain cert and Server cert (not keys) in text form (open each cert and copy/paste all contents).

What happens if you comment out the pkcs12 option, and add the required options for ca, cert, and key?

  • You should experience the same error
    • If you do not, then it's likely you either created the PKCS12 cert with the ICA cert, not the ICA chain cert, or CA cert.

  • There should be two certificate blocks in the ICA chain cert if opening it in a text editor. The first certificate block, which starts at the top of the file, should be the ICA cert, followed by the 2nd certificate block, which should be the CA.
    • The certificate blocks must be in this order

I assumed this would be inferred, as if a passphrase should not be set on on the server's PEM cert, it should be inferred a passphrase should also not be set on the server's PKCS12 cert, else manual intervention will be required whenever the OpenVPN server starts or restarts.

This morning I generated some more certs with identifying information removed so that I could post them. Lo and behold, those worked.
I have no idea why as all I did was follow the steps like last time.
I will try again tonight to create "proper" certificates again and see if those work.

Gah! I am a fool. I had forgotten that I had "option ca" set the in the OpenVPN config, once I removed that the x509 errors came back. Here are the certs I have just created:

ICA Chain Cert:

-----BEGIN CERTIFICATE-----
MIIGATCCA+mgAwIBAgIBATANBgkqhkiG9w0BAQ0FADBOMQswCQYDVQQGEwJDQTEL
MAkGA1UECAwCQ0ExCzAJBgNVBAcMAkNBMQswCQYDVQQKDAJDQTELMAkGA1UECwwC
Q0ExCzAJBgNVBAMMAkNBMB4XDTE4MTExMjIzMDgwN1oXDTI4MTEwOTIzMDgwN1ow
UzELMAkGA1UEBhMCSUMxDDAKBgNVBAgMA0lDQTEMMAoGA1UEBwwDSUNBMQwwCgYD
VQQKDANJQ0ExDDAKBgNVBAsMA0lDQTEMMAoGA1UEAwwDSUNBMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEA7Ata7+aX3A4pJ6BIdzOc3paZCXxfV5nk7G19
iPTIrqjWzDD3bWwkZkKXttd6DGGiQG2Wa/vVM/O8/BMReBLFQwK1EF2DDjlPPP32
V3vPxS5DMUIS3QvrBLZQAjX84/WipGmujMsED+ske84f6T+hqlrMc5IKH9zAj+Uf
SrpcraI7MU5lZRrhxEWyxn/6qf9D5IQg99t47lUi4tAxs03IWn7nBIZ72YzXmySe
aypabuFkab+XBdQJrlEf0RCEspl7AFbblX6ZOrWCe9H1xU2BxIDIrfv1MziSbBSv
iWQXrEhhO76lqUg7o9N0hxvvaGc69hgQpRD8+MyU414qJ74dO+Vn7SaK+Y+rTGjo
XJZVDfb0thPGk9M/hbOJBPWsvkTMVx8Q7fxO513hnW02X3o6t7XFK52SJ3TE08Gv
XpaaWW2FHGrbFLewMpRt658JTh9gzPXhfRcJGvMxemWZPJECi8ZhNbWUyEmpUyUZ
gb/fu1eFAlTfyqliMh5lACTgydvNWulzE1/G4hC7VWtQhVVqkLktNeY4hkMWQpPX
MVN5dZyVvcsP/u8MKS0xStUtc9KkB7FT0Y7V3jOSm0mlJf0bb5BSbcuhL/wYr/Kq
y8dauGUmM/ilx4Do2wdb3ZuE/EC+SF4CQJO0rjgU8iCM5fuQ4C3IbV38bIzdPyJ5
1J/MFX0CAwEAAaOB5DCB4TASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBRx
PEng7myANpl4QL3qdjaRng7HWTB+BgNVHSMEdzB1gBSrtTfPY+uv7i+OZJtUUPCc
+oVgpKFSpFAwTjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJD
QTELMAkGA1UECgwCQ0ExCzAJBgNVBAsMAkNBMQswCQYDVQQDDAJDQYIJAIFHu+jx
4nEJMBwGA1UdEQQVMBOCC09wZW5WUE4tSUNBhwTAqAsBMA4GA1UdDwEB/wQEAwIB
hjANBgkqhkiG9w0BAQ0FAAOCAgEAA8XxODQu/HheeUq7HsxC3Tb0hDCi7KlulUqD
sHRbzUJ/QailVmdQcTrCVtemcwTLkSqMuZc76C0PadHfvnlcRgz1YHerEiUSGCsY
A1VVmuFQqJrC/Yj02JLztkHr0FwxuTU+3iFAfR6tiTS84HwDgmSyR1uGBap5inLB
B6aXAERqv/v4EGYIC95XrOJ+Iws4UxDHF1GYYPYv1Fvf4HGUoNYXwecUH6USTf0A
3JPxvoFHmh36c0z4I3+9icESHrwFcSJE8/uPda0itYoCyJv0ME0lvpw/GLvTcYYH
TqyDyYikV1oVdRl2Am+iwhkeEWzTnRUr6747IdLMceRtWolcKw/kSsMilrZSzrFu
SPPelc0/t3+LEPwc5jUMCwVLha0VKOzEfSGhY7eUsKnyGZq+Zm/DfmvSz2AUvNAu
pFMrHk9NP3QaVKQfnzHabH0/IKBU4eN3VGl/8/vV/5gzCoZWjXaEdqSCKndmkBco
wq3Xx0U6BC6KkdrAsdWD0ZzCq3FHZ6ImetDUxdNT++SWKwpFXmrEKaknXCIzuMBG
AsdW0eYK6B0dn2gquhK7QqqVvCTGxANt9geyZHKd9H5kF8SDoGXRGNOZENVpwwuj
33mIAoOg7Oo5yawHboxUTy1/1SSkb1p05nWAKbshH0jpWu5/VpohA3/YQG7GrHMA
rewKZFM=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGADCCA+igAwIBAgIJAIFHu+jx4nEJMA0GCSqGSIb3DQEBDQUAME4xCzAJBgNV
BAYTAkNBMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCQ0ExCzAJBgNVBAoMAkNBMQsw
CQYDVQQLDAJDQTELMAkGA1UEAwwCQ0EwHhcNMTgxMTEyMjMwNjAzWhcNMjgxMTA5
MjMwNjAzWjBOMQswCQYDVQQGEwJDQTELMAkGA1UECAwCQ0ExCzAJBgNVBAcMAkNB
MQswCQYDVQQKDAJDQTELMAkGA1UECwwCQ0ExCzAJBgNVBAMMAkNBMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA967xU6DEr/ubj//eDtKv7ukm31qnabdT
+nU9z2jRZ5WCyJbEOCg6RfAQkq3Ksp/pS67Il0yng3SxsmZeQ3pb742pKo7TkoLR
wUlgNo8FGaDOV6mvtya1ExIzIG6iazJ0hkIysf5zuAXZbeoJwctlCWzB2lxtpHWc
i81xYuwaHOH6wkt3Z0XIqXAs5GSSxWAS9maiZfPW79nlbXqZS9I/IEbsH8A9SFkU
s1/jsDUw7vpl7w83YmdEREeez5sT6GCXtJNBljmsBiOvtOU/X0q5C85fHVyMs6na
3PA6Q3hrL6Mz8R3nr83ZJyfGXjlnKWewKj9UvIL6UCZgBj9rRYtTHeB+5HHPJGYq
wNF3Vp1E8PNOCgKVxocexWtuPCLGWs1D99MnIpKO3GDa3Ofta7UYk8ie/Lkemg/V
qZtKGJm79n8aKWb2K1o404ibXoyVq4FRsN/WMr73NC78n863tibvrIYNntF9Aqb7
dmUfQZ/zdfqWiVm8iHNndrSSxEWxBk28JJTJqxsMTS1nPbofXuVCcmxR2Om4+c0A
ZQVW0JLEhkl+0gH2udcYj8Rzx40udwtLwZbG6ucZnRqOq5aSUpfGUGuvvXA61UCx
hTnOzVCEzORyRrvfqtoQeBWCKA9a5GP7irUVWQCmP+M1oQWyGkgHQrzM3GoWnd/f
ub9PRwyb1tUCAwEAAaOB4DCB3TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSr
tTfPY+uv7i+OZJtUUPCc+oVgpDB+BgNVHSMEdzB1gBSrtTfPY+uv7i+OZJtUUPCc
+oVgpKFSpFAwTjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJD
QTELMAkGA1UECgwCQ0ExCzAJBgNVBAsMAkNBMQswCQYDVQQDDAJDQYIJAIFHu+jx
4nEJMBsGA1UdEQQUMBKCCk9wZW5XcnQtQ0GHBMCoCwEwDgYDVR0PAQH/BAQDAgGG
MA0GCSqGSIb3DQEBDQUAA4ICAQAOq2m/KnUBn3EwJKY785paE6ypUkDeIW/MPdAK
mqewj1XemhcPxiQTpcLXKzfdX9NacQhHWoV1v1sVS3wNChLPw3emVOLJQqIN9vTk
MlZ+SnNR5z6CpzU+Q3VbEVLKXDQIyrSNUEMkHJhicaPpJiVJWIYTaPSZo5v9D+Y5
SbMAIok4f2NQ0V7wGMjcRBXp2GyTo1GbhUqfM/MCevONynjrB5NLNQPSaug3CsnQ
CJEdpH6GY6ILfSyRcJjshMMlEWVfoXE0rQfACjtW310c+yH7+omY9GTClXPTBzUw
Yf6B9OWH8AZOETuVcHtcQOZd+Jk5oiOl7USrnqKLUf7Be6TuZh6CinlZY9/OohBI
YNnWypGLljm3OA6pnkzluaSIe+uU1JtjvNMa6Rw8WiJ30Fm2KJYO/RSZpvT6wugu
+jwaVw6kbEV/HsudGvQQGFl6drGVbZX+ey+xbUdn7oTIiHbD3EseBIExFtrHfU89
JFmDNIwFiYm6ZKanrA5xgckmWf4nFQ7uyFdfBkQEqvUbF1Nm0OlmN5Fj0WZBSj6e
7Ci3UFjHqwyt6TCGtPSzK7tVv2goahR2wbgpRm/u9SvboQUjWtkbmvASgXixv/YB
EetoUagBKvQjH26jtWw6jBpNg/DtjonAAxNGzur8xJ+/MfqLhcnmUbM/u3fSLygP
97RZXg==
-----END CERTIFICATE-----

VPN Server Cert:

-----BEGIN CERTIFICATE-----
MIIFEDCCAvigAwIBAgIBAjANBgkqhkiG9w0BAQ0FADBTMQswCQYDVQQGEwJJQzEM
MAoGA1UECAwDSUNBMQwwCgYDVQQHDANJQ0ExDDAKBgNVBAoMA0lDQTEMMAoGA1UE
CwwDSUNBMQwwCgYDVQQDDANJQ0EwHhcNMTgxMTEyMjMwOTM5WhcNMjgxMTA5MjMw
OTM5WjBTMQswCQYDVQQGEwJWUDEMMAoGA1UECAwDVlBOMQwwCgYDVQQHDANWUE4x
DDAKBgNVBAoMA1ZQTjEMMAoGA1UECwwDVlBOMQwwCgYDVQQDDANWUE4wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCgjhas+j2yntaiphXOXJpWDqkXCFrW
GHslFxCv4akUldprOKpq7B89QDyU/YmYqRnZHXVRqf0Jn8t5s/8JEB08i4XesOHl
f1UaG0zQ+4Nfj4PIhlxjEueDxrShxw/L6zc9o7sCXdri/ygI/Y1zXRUi1zbrYBqw
cV0G3ZPGqfymZMdfP+A9eF1e3HDwX7hwLXfEpNqbeaFrqwyQf2AHsbe0gsWe5CyM
+pTU5ihfG4W6M+Q15vQM/daGfD+UPFdgGOgB4op7CZnbSSjOMXH4U22rEa7I5oDC
reUal7hna0TkK5kwZkBM9cGQh9FxOxUUNZuDa3EnMkHYPEfwePJt8cpBAgMBAAGj
ge4wgeswDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUN391y1alZgtIlQxPDwMzWiiI
zucwdgYDVR0jBG8wbYAUcTxJ4O5sgDaZeEC96nY2kZ4Ox1mhUqRQME4xCzAJBgNV
BAYTAkNBMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCQ0ExCzAJBgNVBAoMAkNBMQsw
CQYDVQQLDAJDQTELMAkGA1UEAwwCQ0GCAQEwDgYDVR0PAQH/BAQDAgPoMBYGA1Ud
JQEB/wQMMAoGCCsGAQUFBwMBMBwGA1UdEQQVMBOHBMCoCwGCC2lycndpdHouY29t
MA0GCSqGSIb3DQEBDQUAA4ICAQCTRHyJ+6EpnqwSZGotgYpbkh7jrqS8kpHZsZle
XqKbmqbsLNsPQBnB+rCu2Qok7caBGx/ap8TxpD+Rv61WR50qXIEvS9E1MZKcGTLT
wCvoNz6FT4c/gUwjUEq25AQymf9yWfOnFJki4uZhSFBwtDj7uDwvwRAQWyhM6yqb
/IAFXL/R2uRNiTRUkLkpIFUMCDBO4k8R1mQ8/Ys/0nZCFfzYwHUHMT6BtGPGibF+
/5ESevclaxL0jCIfe9KBZvT/QgUfQ5TBcH3SIVNT9LmWNZxrggohtHe6T4ZZLCJM
FmCMj4tUPT3P6wzMpvFgm8UtQ/MtqBHMJmJ2DCqjmKSDeB5TGU94jDWTp3gIwfcx
kqwMez3Oj4pIWqX2yketjTvY0VYdQn+LgIHtpR044zzKe9iwu/3RUL1TMxF1LRrn
atGrhC9c3UZB/bIW75fHU2I2K3K9vrs830hs1v9ClIze5mTMMzGVVQ9DH2MbLpv2
zqIxas+h0X+YyuEw+lpDYwYIeHubd/62pRalSGjV9W0MmwJsaDV2lprstVbt0XxC
1Jff7/JJaWn7DbdEZrI8FT/E7Uiz433pqILAKpwhf0HbblVPYjYP/VzUOoE7AOmi
UzgJswWBq8poQjTGv+SGK+vj71twTSKAr8CnqR06jxcpN2c5yaRSXET+qiT13T4V
HLdz/Q==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGATCCA+mgAwIBAgIBATANBgkqhkiG9w0BAQ0FADBOMQswCQYDVQQGEwJDQTEL
MAkGA1UECAwCQ0ExCzAJBgNVBAcMAkNBMQswCQYDVQQKDAJDQTELMAkGA1UECwwC
Q0ExCzAJBgNVBAMMAkNBMB4XDTE4MTExMjIzMDgwN1oXDTI4MTEwOTIzMDgwN1ow
UzELMAkGA1UEBhMCSUMxDDAKBgNVBAgMA0lDQTEMMAoGA1UEBwwDSUNBMQwwCgYD
VQQKDANJQ0ExDDAKBgNVBAsMA0lDQTEMMAoGA1UEAwwDSUNBMIICIjANBgkqhkiG
9w0BAQEFAAOCAg8AMIICCgKCAgEA7Ata7+aX3A4pJ6BIdzOc3paZCXxfV5nk7G19
iPTIrqjWzDD3bWwkZkKXttd6DGGiQG2Wa/vVM/O8/BMReBLFQwK1EF2DDjlPPP32
V3vPxS5DMUIS3QvrBLZQAjX84/WipGmujMsED+ske84f6T+hqlrMc5IKH9zAj+Uf
SrpcraI7MU5lZRrhxEWyxn/6qf9D5IQg99t47lUi4tAxs03IWn7nBIZ72YzXmySe
aypabuFkab+XBdQJrlEf0RCEspl7AFbblX6ZOrWCe9H1xU2BxIDIrfv1MziSbBSv
iWQXrEhhO76lqUg7o9N0hxvvaGc69hgQpRD8+MyU414qJ74dO+Vn7SaK+Y+rTGjo
XJZVDfb0thPGk9M/hbOJBPWsvkTMVx8Q7fxO513hnW02X3o6t7XFK52SJ3TE08Gv
XpaaWW2FHGrbFLewMpRt658JTh9gzPXhfRcJGvMxemWZPJECi8ZhNbWUyEmpUyUZ
gb/fu1eFAlTfyqliMh5lACTgydvNWulzE1/G4hC7VWtQhVVqkLktNeY4hkMWQpPX
MVN5dZyVvcsP/u8MKS0xStUtc9KkB7FT0Y7V3jOSm0mlJf0bb5BSbcuhL/wYr/Kq
y8dauGUmM/ilx4Do2wdb3ZuE/EC+SF4CQJO0rjgU8iCM5fuQ4C3IbV38bIzdPyJ5
1J/MFX0CAwEAAaOB5DCB4TASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBRx
PEng7myANpl4QL3qdjaRng7HWTB+BgNVHSMEdzB1gBSrtTfPY+uv7i+OZJtUUPCc
+oVgpKFSpFAwTjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJD
QTELMAkGA1UECgwCQ0ExCzAJBgNVBAsMAkNBMQswCQYDVQQDDAJDQYIJAIFHu+jx
4nEJMBwGA1UdEQQVMBOCC09wZW5WUE4tSUNBhwTAqAsBMA4GA1UdDwEB/wQEAwIB
hjANBgkqhkiG9w0BAQ0FAAOCAgEAA8XxODQu/HheeUq7HsxC3Tb0hDCi7KlulUqD
sHRbzUJ/QailVmdQcTrCVtemcwTLkSqMuZc76C0PadHfvnlcRgz1YHerEiUSGCsY
A1VVmuFQqJrC/Yj02JLztkHr0FwxuTU+3iFAfR6tiTS84HwDgmSyR1uGBap5inLB
B6aXAERqv/v4EGYIC95XrOJ+Iws4UxDHF1GYYPYv1Fvf4HGUoNYXwecUH6USTf0A
3JPxvoFHmh36c0z4I3+9icESHrwFcSJE8/uPda0itYoCyJv0ME0lvpw/GLvTcYYH
TqyDyYikV1oVdRl2Am+iwhkeEWzTnRUr6747IdLMceRtWolcKw/kSsMilrZSzrFu
SPPelc0/t3+LEPwc5jUMCwVLha0VKOzEfSGhY7eUsKnyGZq+Zm/DfmvSz2AUvNAu
pFMrHk9NP3QaVKQfnzHabH0/IKBU4eN3VGl/8/vV/5gzCoZWjXaEdqSCKndmkBco
wq3Xx0U6BC6KkdrAsdWD0ZzCq3FHZ6ImetDUxdNT++SWKwpFXmrEKaknXCIzuMBG
AsdW0eYK6B0dn2gquhK7QqqVvCTGxANt9geyZHKd9H5kF8SDoGXRGNOZENVpwwuj
33mIAoOg7Oo5yawHboxUTy1/1SSkb1p05nWAKbshH0jpWu5/VpohA3/YQG7GrHMA
rewKZFM=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGADCCA+igAwIBAgIJAIFHu+jx4nEJMA0GCSqGSIb3DQEBDQUAME4xCzAJBgNV
BAYTAkNBMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCQ0ExCzAJBgNVBAoMAkNBMQsw
CQYDVQQLDAJDQTELMAkGA1UEAwwCQ0EwHhcNMTgxMTEyMjMwNjAzWhcNMjgxMTA5
MjMwNjAzWjBOMQswCQYDVQQGEwJDQTELMAkGA1UECAwCQ0ExCzAJBgNVBAcMAkNB
MQswCQYDVQQKDAJDQTELMAkGA1UECwwCQ0ExCzAJBgNVBAMMAkNBMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA967xU6DEr/ubj//eDtKv7ukm31qnabdT
+nU9z2jRZ5WCyJbEOCg6RfAQkq3Ksp/pS67Il0yng3SxsmZeQ3pb742pKo7TkoLR
wUlgNo8FGaDOV6mvtya1ExIzIG6iazJ0hkIysf5zuAXZbeoJwctlCWzB2lxtpHWc
i81xYuwaHOH6wkt3Z0XIqXAs5GSSxWAS9maiZfPW79nlbXqZS9I/IEbsH8A9SFkU
s1/jsDUw7vpl7w83YmdEREeez5sT6GCXtJNBljmsBiOvtOU/X0q5C85fHVyMs6na
3PA6Q3hrL6Mz8R3nr83ZJyfGXjlnKWewKj9UvIL6UCZgBj9rRYtTHeB+5HHPJGYq
wNF3Vp1E8PNOCgKVxocexWtuPCLGWs1D99MnIpKO3GDa3Ofta7UYk8ie/Lkemg/V
qZtKGJm79n8aKWb2K1o404ibXoyVq4FRsN/WMr73NC78n863tibvrIYNntF9Aqb7
dmUfQZ/zdfqWiVm8iHNndrSSxEWxBk28JJTJqxsMTS1nPbofXuVCcmxR2Om4+c0A
ZQVW0JLEhkl+0gH2udcYj8Rzx40udwtLwZbG6ucZnRqOq5aSUpfGUGuvvXA61UCx
hTnOzVCEzORyRrvfqtoQeBWCKA9a5GP7irUVWQCmP+M1oQWyGkgHQrzM3GoWnd/f
ub9PRwyb1tUCAwEAAaOB4DCB3TAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSr
tTfPY+uv7i+OZJtUUPCc+oVgpDB+BgNVHSMEdzB1gBSrtTfPY+uv7i+OZJtUUPCc
+oVgpKFSpFAwTjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJD
QTELMAkGA1UECgwCQ0ExCzAJBgNVBAsMAkNBMQswCQYDVQQDDAJDQYIJAIFHu+jx
4nEJMBsGA1UdEQQUMBKCCk9wZW5XcnQtQ0GHBMCoCwEwDgYDVR0PAQH/BAQDAgGG
MA0GCSqGSIb3DQEBDQUAA4ICAQAOq2m/KnUBn3EwJKY785paE6ypUkDeIW/MPdAK
mqewj1XemhcPxiQTpcLXKzfdX9NacQhHWoV1v1sVS3wNChLPw3emVOLJQqIN9vTk
MlZ+SnNR5z6CpzU+Q3VbEVLKXDQIyrSNUEMkHJhicaPpJiVJWIYTaPSZo5v9D+Y5
SbMAIok4f2NQ0V7wGMjcRBXp2GyTo1GbhUqfM/MCevONynjrB5NLNQPSaug3CsnQ
CJEdpH6GY6ILfSyRcJjshMMlEWVfoXE0rQfACjtW310c+yH7+omY9GTClXPTBzUw
Yf6B9OWH8AZOETuVcHtcQOZd+Jk5oiOl7USrnqKLUf7Be6TuZh6CinlZY9/OohBI
YNnWypGLljm3OA6pnkzluaSIe+uU1JtjvNMa6Rw8WiJ30Fm2KJYO/RSZpvT6wugu
+jwaVw6kbEV/HsudGvQQGFl6drGVbZX+ey+xbUdn7oTIiHbD3EseBIExFtrHfU89
JFmDNIwFiYm6ZKanrA5xgckmWf4nFQ7uyFdfBkQEqvUbF1Nm0OlmN5Fj0WZBSj6e
7Ci3UFjHqwyt6TCGtPSzK7tVv2goahR2wbgpRm/u9SvboQUjWtkbmvASgXixv/YB
EetoUagBKvQjH26jtWw6jBpNg/DtjonAAxNGzur8xJ+/MfqLhcnmUbM/u3fSLygP
97RZXg==
-----END CERTIFICATE-----

When I do this, I get no error. But I absolutely used the ICA-Chain cert as I copied and pasted this command from the wiki:

openssl pkcs12 -export -out openvpn/vpn-server.p12 -inkey openvpn/vpn-server.key.pem \
    -in certs/vpn-server.crt.pem -certfile ca/OpenWrt-OpenVPN_ICA-Chain.crt.pem

They appear to be in the correct order to my eyes.

Try removing the CA and ICA from the server cert, leaving only the server cert's block. My understanding from reading the OpenSSL documentation was this could be done to allow a single cert to contain the entire chain of trust, however I'm wondering if this is the cause of the issue.

  • If this doesn't solve the issue, and specifying the ICA chain cert with the ca option does, it seems the issue is with the PKCS12 cert, but as to what that issue could be, I don't have the slightest. I'd recommend creating a thread on the OpenVPN forum at that point, as I'm stumped.