我正在尝试连接 OpenVPN 服务器和客户端。客户端出现以下错误:
Thu Aug 15 12:40:02 2019 daemon.err openvpn(default)[11009]: VERIFY ERROR: depth=1, could not extract X509 subject string from certificate
Thu Aug 15 12:40:02 2019 daemon.err openvpn(default)[11009]: OpenSSL: error:14090086:lib(20):func(144):reason(134)
Thu Aug 15 12:40:02 2019 daemon.err openvpn(default)[11009]: TLS_ERROR: BIO read tls_read_plaintext error
Thu Aug 15 12:40:02 2019 daemon.err openvpn(default)[11009]: TLS Error: TLS object -> incoming plaintext read error
Thu Aug 15 12:40:02 2019 daemon.err openvpn(default)[11009]: TLS Error: TLS handshake failed
Thu Aug 15 12:40:02 2019 daemon.notice openvpn(default)[11009]: SIGUSR1[soft,tls-error] received, process restarting
Thu Aug 15 12:40:02 2019 daemon.notice openvpn(default)[11009]: Restart pause, 5 second(s)
服务器端如下:
Thu Aug 15 12:40:56 2019 172.16.6.29:43704 TLS: Initial packet from [AF_INET]172.16.6.29:43704, sid=0e770fea 5311df72
Thu Aug 15 12:41:02 2019 172.16.6.29:50066 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Aug 15 12:41:02 2019 172.16.6.29:50066 TLS Error: TLS handshake failed
Thu Aug 15 12:41:02 2019 172.16.6.29:50066 SIGUSR1[soft,tls-error] received, client-instance restarting
这让我相信客户端证书存在问题,因此我执行了以下操作:
openssl x509 -in /etc/x509/client-2ac25b1c6b5444958021851ab473013b.pem -text
并得到输出:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
c1:2d:1a:d7:cb:23:4f:fa:a2:57:8c:9c:34:0d:b3:94
Signature Algorithm: sha256WithRSAEncryption
Issuer:
Validity
Not Before: Aug 16 00:00:00 2019 GMT
Not After : Aug 14 20:15:09 2024 GMT
Subject: CN=08:00:27:6B:52:F3-08-00-27-25-34-89
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d4:53:7b:f8:cc:39:40:97:16:4f:f6:48:f3:c6:
fd:e2:bd:96:b1:87:6c:10:2d:b2:7f:52:8b:89:59:
0b:7b:b3:95:7f:64:e6:0b:8b:6e:b9:6f:1c:d8:8f:
a7:6d:e6:81:15:5a:b6:d4:76:01:28:e2:ca:95:f9:
a3:51:48:7d:9d:ba:a9:ea:90:8e:ea:48:08:f0:80:
58:39:4c:21:c1:cc:0d:55:11:d4:cf:16:0f:a8:3f:
63:4a:14:2b:00:8d:cf:58:9a:3c:8c:e9:1c:4d:f6:
8f:03:c5:7d:36:75:2d:39:8e:66:de:a6:bb:ad:7d:
2d:64:9c:25:27:d2:4e:74:21:e5:4f:05:34:6c:4c:
27:2b:d2:6e:83:6f:3e:53:19:c4:6b:2d:ab:1b:0a:
5a:33:b3:db:e7:4a:b7:bc:7d:24:58:6a:3d:a9:47:
27:cb:7d:bf:87:30:8c:ca:3c:1b:18:d1:9d:83:2e:
3f:2b:97:4b:7f:06:d1:e6:d1:8d:10:8c:62:52:87:
d0:6a:68:2d:7a:27:46:fa:68:5b:20:4e:04:45:19:
02:03:a9:ab:96:a4:54:a2:83:a4:96:b9:b0:b6:b5:
91:e3:16:2b:c5:87:46:eb:2c:8d:87:53:32:bb:e5:
7f:72:83:06:fe:af:41:be:e4:55:01:d2:ad:f2:d5:
6b:13
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
10:7D:D0:48:01:F5:D9:EC:D0:ED:52:9E:1F:37:E5:90:5B:7C:43:71
X509v3 Authority Key Identifier:
keyid:1A:AA:C5:0D:66:77:5B:F9:C9:D5:5C:43:D5:8F:12:E2:D4:37:C1:67
DirName:
serial:1A:42:E0:FB:83:01:44:7D:A5:57:1C:99:85:2C:56:08
Netscape Cert Type:
SSL Client
Signature Algorithm: sha256WithRSAEncryption
8e:5a:cb:a3:4d:43:6f:0f:88:76:fa:af:31:ef:ba:4a:98:02:
25:82:b8:ba:dc:64:c9:97:ed:48:1d:31:de:e8:1f:a5:da:10:
da:a9:15:b1:83:04:76:51:61:95:c4:97:15:d2:7b:4e:29:42:
fb:42:b9:89:10:4c:db:26:8c:b1:13:a4:6f:46:82:53:c0:12:
e1:61:0c:2c:89:6d:d6:e1:ca:93:43:f8:74:20:68:89:2a:21:
ef:7b:7b:d3:d6:be:4e:e3:f6:34:18:72:b6:10:80:bd:43:d1:
01:db:7c:59:ba:a6:3d:1b:de:9f:1f:c0:b5:6f:d8:3b:1e:b8:
0a:6a:ed:ad:42:ce:c3:95:d6:70:ae:d2:79:82:1e:d7:af:24:
f9:66:bc:4e:97:e5:3c:a1:93:3b:4e:60:f5:ea:d2:ec:5a:04:
b0:06:7e:9f:66:b8:19:6f:33:cc:bf:c5:b7:36:85:67:45:c8:
6c:23:32:04:5e:9f:a5:71:48:ce:ac:fc:74:76:ad:61:d6:10:
65:bf:a0:2a:8d:04:32:bb:60:74:71:85:a9:96:5f:bb:5e:87:
32:ad:a7:d3:08:fb:cc:09:35:9e:79:c8:47:a2:ee:63:4e:23:
fe:c3:11:0a:16:84:8d:17:ea:f6:f2:31:15:d9:d1:26:f6:c0:
93:32:bd:e0
-----BEGIN CERTIFICATE-----
MIIDRDCCAiygAwIBAgIRAMEtGtfLI0/6oleMnDQNs5QwDQYJKoZIhvcNAQELBQAw
ADAiGA8yMDE5MDgxNjAwMDAwMFoYDzIwMjQwODE0MjAxNTA5WjAuMSwwKgYDVQQD
DCMwODowMDoyNzo2Qjo1MjpGMy0wOC0wMC0yNy0yNS0zNC04OTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANRTe/jMOUCXFk/2SPPG/eK9lrGHbBAtsn9S
i4lZC3uzlX9k5guLbrlvHNiPp23mgRVattR2ASjiypX5o1FIfZ26qeqQjupICPCA
WDlMIcHMDVUR1M8WD6g/Y0oUKwCNz1iaPIzpHE32jwPFfTZ1LTmOZt6mu619LWSc
JSfSTnQh5U8FNGxMJyvSboNvPlMZxGstqxsKWjOz2+dKt7x9JFhqPalHJ8t9v4cw
jMo8GxjRnYMuPyuXS38G0ebRjRCMYlKH0GpoLXonRvpoWyBOBEUZAgOpq5akVKKD
pJa5sLa1keMWK8WHRussjYdTMrvlf3KDBv6vQb7kVQHSrfLVaxMCAwEAAaOBhjCB
gzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQUEH3QSAH12ezQ7VKe
HzflkFt8Q3EwNwYDVR0jBDAwLoAUGqrFDWZ3W/nJ1VxD1Y8S4tQ3wWehBKQCMACC
EBpC4PuDAUR9pVccmYUsVggwEQYJYIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3DQEB
CwUAA4IBAQCOWsujTUNvD4h2+q8x77pKmAIlgri63GTJl+1IHTHe6B+l2hDaqRWx
gwR2UWGVxJcV0ntOKUL7QrmJEEzbJoyxE6RvRoJTwBLhYQwsiW3W4cqTQ/h0IGiJ
KiHve3vT1r5O4/Y0GHK2EIC9Q9EB23xZuqY9G96fH8C1b9g7HrgKau2tQs7DldZw
rtJ5gh7XryT5ZrxOl+U8oZM7TmD16tLsWgSwBn6fZrgZbzPMv8W3NoVnRchsIzIE
Xp+lcUjOrPx0dq1h1hBlv6AqjQQyu2B0cYWpll+7XocyrafTCPvMCTWeechHou5j
TiP+wxEKFoSNF+r28jEV2dEm9sCTMr3g
-----END CERTIFICATE-----
OpenVPN配置:
config openvpn 'default'
option auth 'SHA1'
option ca '/etc/x509/ca-1-.pem'
option cert '/etc/x509/client-2ac25b1c6b5444958021851ab473013b.pem'
option cipher 'none'
option comp_lzo 'no'
option dev 'tun0'
option dev_type 'tun'
option enabled '1'
option fast_io '1'
option float '0'
option fragment '0'
option keepalive '10 120'
option key '/etc/x509/key-2ac25b1c6b5444958021851ab473013b.pem'
option mode 'p2p'
option mssfix '1450'
option mute '0'
option mute_replay_warnings '0'
option nobind '1'
option persist_key '1'
option persist_tun '1'
option proto 'udp'
option pull '1'
list remote 'openvpn 1194'
option reneg_sec '0'
option resolv_retry 'infinite'
option script_security '1'
option tls_client '1'
option tls_timeout '0'
option verb '3'
(设备主机名:08-00-27-25-34-89)
任何有助于理解和解决该问题的指示都将受到赞赏。
答案1
Issuer: ... Subject: CN=08:00:27:6B:52:F3-08-00-27-25-34-89
发行人完全是空的。
... VERIFY ERROR: depth=1, could not extract X509 subject string from certificate
看起来 OpenVPN 无法处理空的发行者。
这并不意外,因为空的颁发者没有多大意义。因此,无论是谁创建了 CA 证书,都应确保 CA 证书的主题(以及所颁发证书的颁发者)具有描述颁发者的主题,而不是将所有字段(通用名称等)留空。