Deutschsprachige CAcert Support Liste

[<hlehmbruch AT gmx.net>]

Am Tue, 22 Nov 2011 19:17:51 +0100
schrieb Michael Weiller 
<michael AT weiller.eu>:

> Hallo zusammen,
> 
> ich hätte mal eine Frage zum CaCert OpenVPN Server (
> https://wiki.cacert.org/openVPN/CommunityTunnel) der
> Dominik George (
> https://wiki.cacert.org/Community/HomePagesMembers/DominikGeorge?action=show&redirect=DominikGeorge
> <https://wiki.cacert.org/Community/HomePagesMembers/DominikGeorge?action=show&redirect=DominikGeorge>)
> für uns eingerichtet hat.
> 
> Ich hab als Betriebssystem Linux und hab nach der Wiki Anleitung
> versucht den OpenVPN Server zu nutzen.
> Leider bekomme ich immer einen TLS CERTIFICATE Fehler beim
> Verifizieren des Zertifikats.
> 
> *# openvpn --config /home/weillerm/CAcertOpenVPN.ovpn
> Sun Nov 13 10:57:46 2011 OpenVPN 2.2.1 x86_64-unknown-linux-gnu [SSL]
> [LZO2] [EPOLL] [eurephia] built on Aug 13 2011
> Sun Nov 13 10:57:46 2011 WARNING: Make sure you understand the
> semantics of --tls-remote before using it (see the man page).
> Sun Nov 13 10:57:46 2011 NOTE: OpenVPN 2.1 requires '--script-security
> 2' or higher to call user-defined scripts or executables
> Enter Private Key Password:
> Sun Nov 13 10:57:51 2011 WARNING: this configuration may cache
> passwords in memory -- use the auth-nocache option to prevent this
> Sun Nov 13 10:57:51 2011 WARNING: file
> '/home/weillerm/Downloads/cacertweillereu-Cert.p12' is group or others
> accessible
> Sun Nov 13 10:57:51 2011 LZO compression initialized
> Sun Nov 13 10:57:51 2011 Attempting to establish TCP connection with
> 78.47.142.76:443 [nonblock]
> Sun Nov 13 10:57:52 2011 TCP connection established with
> 78.47.142.76:443 Sun Nov 13 10:57:52 2011 TCPv4_CLIENT link local:
> [undef] Sun Nov 13 10:57:52 2011 TCPv4_CLIENT link remote:
> 78.47.142.76:443 Sun Nov 13 10:57:55 2011 TLS_ERROR: BIO read
> tls_read_plaintext error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Sun Nov 13 10:57:55 2011 TLS Error: TLS object -> incoming plaintext
> read error
> Sun Nov 13 10:57:55 2011 TLS Error: TLS handshake failed
> Sun Nov 13 10:57:55 2011 Fatal TLS error (check_tls_errors_co),
> restarting Sun Nov 13 10:57:55 2011 SIGUSR1[soft,tls-error] received,
> process restarting
> Sun Nov 13 10:58:00 2011 WARNING: Make sure you understand the
> semantics of --tls-remote before using it (see the man page).
> Sun Nov 13 10:58:00 2011 NOTE: OpenVPN 2.1 requires '--script-security
> 2' or higher to call user-defined scripts or executables
> Sun Nov 13 10:58:00 2011 Re-using SSL/TLS context
> Sun Nov 13 10:58:00 2011 LZO compression initialized
> Sun Nov 13 10:58:00 2011 Attempting to establish TCP connection with
> 78.47.142.76:443 [nonblock]
> Sun Nov 13 10:58:01 2011 TCP connection established with
> 78.47.142.76:443 Sun Nov 13 10:58:01 2011 TCPv4_CLIENT link local:
> [undef] Sun Nov 13 10:58:01 2011 TCPv4_CLIENT link remote:
> 78.47.142.76:443 Sun Nov 13 10:58:04 2011 TLS_ERROR: BIO read
> tls_read_plaintext error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Sun Nov 13 10:58:04 2011 TLS Error: TLS object -> incoming plaintext
> read error
> Sun Nov 13 10:58:04 2011 TLS Error: TLS handshake failed
> Sun Nov 13 10:58:04 2011 Fatal TLS error (check_tls_errors_co),
> restarting Sun Nov 13 10:58:04 2011 SIGUSR1[soft,tls-error] received,
> process restarting
> Sun Nov 13 10:58:09 2011 WARNING: Make sure you understand the
> semantics of --tls-remote before using it (see the man page).
> Sun Nov 13 10:58:09 2011 NOTE: OpenVPN 2.1 requires '--script-security
> 2' or higher to call user-defined scripts or executables
> Sun Nov 13 10:58:09 2011 Re-using SSL/TLS context
> Sun Nov 13 10:58:09 2011 LZO compression initialized
> Sun Nov 13 10:58:09 2011 Attempting to establish TCP connection with
> 78.47.142.76:443 [nonblock]
> Sun Nov 13 10:58:10 2011 TCP connection established with
> 78.47.142.76:443 Sun Nov 13 10:58:10 2011 TCPv4_CLIENT link local:
> [undef] Sun Nov 13 10:58:10 2011 TCPv4_CLIENT link remote:
> 78.47.142.76:443 Sun Nov 13 10:58:13 2011 TLS_ERROR: BIO read
> tls_read_plaintext error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Sun Nov 13 10:58:13 2011 TLS Error: TLS object -> incoming plaintext
> read error
> Sun Nov 13 10:58:13 2011 TLS Error: TLS handshake failed
> Sun Nov 13 10:58:13 2011 Fatal TLS error (check_tls_errors_co),
> restarting Sun Nov 13 10:58:13 2011 SIGUSR1[soft,tls-error] received,
> process restarting
> Sun Nov 13 10:58:18 2011 WARNING: Make sure you understand the
> semantics of --tls-remote before using it (see the man page).
> Sun Nov 13 10:58:18 2011 NOTE: OpenVPN 2.1 requires '--script-security
> 2' or higher to call user-defined scripts or executables
> Sun Nov 13 10:58:18 2011 Re-using SSL/TLS context
> Sun Nov 13 10:58:18 2011 LZO compression initialized
> Sun Nov 13 10:58:18 2011 Attempting to establish TCP connection with
> 78.47.142.76:443 [nonblock]
> Sun Nov 13 10:58:19 2011 TCP connection established with
> 78.47.142.76:443 Sun Nov 13 10:58:19 2011 TCPv4_CLIENT link local:
> [undef] Sun Nov 13 10:58:19 2011 TCPv4_CLIENT link remote:
> 78.47.142.76:443 Sun Nov 13 10:58:21 2011 TLS_ERROR: BIO read
> tls_read_plaintext error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Sun Nov 13 10:58:21 2011 TLS Error: TLS object -> incoming plaintext
> read error
> Sun Nov 13 10:58:21 2011 TLS Error: TLS handshake failed
> Sun Nov 13 10:58:21 2011 Fatal TLS error (check_tls_errors_co),
> restarting Sun Nov 13 10:58:21 2011 SIGUSR1[soft,tls-error] received,
> process restarting
> Sun Nov 13 10:58:26 2011 WARNING: Make sure you understand the
> semantics of --tls-remote before using it (see the man page).
> Sun Nov 13 10:58:26 2011 NOTE: OpenVPN 2.1 requires '--script-security
> 2' or higher to call user-defined scripts or executables
> Sun Nov 13 10:58:26 2011 Re-using SSL/TLS context
> Sun Nov 13 10:58:26 2011 LZO compression initialized
> Sun Nov 13 10:58:26 2011 Attempting to establish TCP connection with
> 78.47.142.76:443 [nonblock]
> Sun Nov 13 10:58:27 2011 TCP connection established with
> 78.47.142.76:443 Sun Nov 13 10:58:27 2011 TCPv4_CLIENT link local:
> [undef] Sun Nov 13 10:58:27 2011 TCPv4_CLIENT link remote:
> 78.47.142.76:443 Sun Nov 13 10:58:30 2011 TLS_ERROR: BIO read
> tls_read_plaintext error: error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> Sun Nov 13 10:58:30 2011 TLS Error: TLS object -> incoming plaintext
> read error
> Sun Nov 13 10:58:30 2011 TLS Error: TLS handshake failed
> Sun Nov 13 10:58:30 2011 Fatal TLS error (check_tls_errors_co),
> restarting Sun Nov 13 10:58:30 2011 SIGUSR1[soft,tls-error] received,
> process restarting
> Sun Nov 13 10:58:31 2011 SIGINT[hard,init_instance] received, process
> exiting*
> 
> 
> Meine verwendete Konfig:
> *$ cat CAcertOpenVPN.ovpn
> dev tap
> client
> remote community-vpn.cacert.org 443
> resolv-retry infinite
> nobind
> proto tcp-client
> persist-key
> persist-tun
> comp-lzo
> pkcs12 /home/weillerm/Downloads/cacertweillereu-Cert.p12   # This is
> the file exported from Firefox after generating your client
> certificate tls-remote "/CN=community-vpn.cacert.org"*
> 
> 
> Wäre super, wenn mir jemand einen Tip dazu geben könnte.
> 
> Gruß
>     Michael


hallo Michael

Versuch mal folgende config
##########################################
dev tap0
client
remote community-vpn.cacert.org 443
resolv-retry 1
nobind
proto tcp-client
persist-key
persist-tun
comp-lzo
pkcs12 /weg/zu/deinem/xy.p12
askpass
auth-nocache
############################################

gruß hendrik

Attachment: smime.p7s
Description: S/MIME cryptographic signature