如何设置 OpenVPN 服务器以接受服务器证书作为客户端

tag-icon tag-icon openvpn
如何设置 OpenVPN 服务器以接受服务器证书作为客户端

我正在使用 openvpn 设置 LAN 到 LAN VPN。为了便于证书管理,我希望重新使用每个主机上已经存在的服务器证书。我已在配置文件中设置,remote-cert-tls server但仍然出现错误:

Sun Aug 10 19:33:45 2014 176.126.242.99:37837 VERIFY ERROR: depth=0, error=unsupported certificate purpose: C=GB, ST=x, L=x, O=x x, OU=x, CN=x.x.x
Sun Aug 10 19:33:45 2014 176.126.242.99:37837 TLS_ERROR: BIO read tls_read_plaintext error: error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sun Aug 10 19:33:45 2014 176.126.242.99:37837 TLS Error: TLS object -> incoming plaintext read error
Sun Aug 10 19:33:45 2014 176.126.242.99:37837 TLS Error: TLS handshake failed

客户端证书的格式如下:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 16 (0x10)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=y, ST=y, L=y, O=y y, OU=y, CN=y
        Validity
            Not Before: Aug  9 13:23:53 2014 GMT
            Not After : Aug  9 13:23:53 2015 GMT
        Subject: C=x, ST=x, L=x, O=x, OU=x, CN=x
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Comment:
                Signed by y y
            X509v3 Subject Key Identifier:
                ...
            X509v3 Subject Alternative Name:
                DNS:x.x.x
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            X509v3 Authority Key Identifier:
                ...
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment, Key Agreement
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication, Code Signing, E-mail Protection

我不清楚证书文件的哪个功能到底导致了错误,以及需要在配置文件中进行哪些更改才能修复该错误。

编辑

有关更多详细信息,请参阅服务器和客户端配置

server 172.19.1.0 255.255.255.0
local 192.168.10.10
port 1195
proto udp
dev tun

ca /etc/ssl/certs/me.pem
cert /etc/ssl/certs/local/server.crt
key /etc/ssl/private/server.key
dh dh1024.pem

ifconfig-pool-persist ipp.txt

keepalive 60 720
comp-lzo

user nobody
group nogroup

persist-key
persist-tun

status openvpn-status.log
verb 3


client
dev tun
proto udp
remote x.x.x 1195
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun

ca /etc/ssl/certs/me.pem
cert /etc/ssl/certs/local/server.crt
key /etc/ssl/private/server.key

ns-cert-type server
comp-lzo
verb 3

相关内容