New Member
Posts: 3
Registered: ‎04-17-2019

OpenVPN configuration error: Specified ca-cert-file "/config/auth/ca.crt" is not valid.

Hello All,

 

I've search the internet and the community of UBNT to find an answer to the issue i'm facing. I have the USG 3P and I'm trying to setup the OpenVPN, but no matter what I do I can't seem to figure out what is wrong with the ca-cert-file.

 

I've used these guides to set the OpenVPN:

 

I've recreated the CA with easy-rsa on my Pi, but it keeps coming back with this error and failing to commit the json configuration pushed from the SDN Controller on my Pi.

 

I've done the following:

  1. On my RaspberrPi - where the SDN Controller software is running - I installed easy-rsa and followed the steps provided in basically all the guides I've mentioned and more.
  2. I've copied the ca.crt, server.crt, server.key, dh2048.pem, ta.key to the /config/auth/ folder on my RaspberryPi (Also tried placing it directly on the USG in /config/auth)
  3. I created the below json file to setup my OpenVPN and did a force provision from the Unifi web interface, but get the error:

 

 mcad: ace_reporter.reporter_handle_response(): commit errors, {"COMMIT": {"error": "▒[ interfaces ethernet eth0 dhcp-options ]\nRenewing DHCP lease on eth0 ...\n\n▒1\n▒[ interfaces openvpn vtun0 ]\nOpenVPN configuration error: Specified ca-cert-file \"/config/auth/ca.crt\" is not valid.\n\n▒0\n▒[ service gui ]\nStarting the GUI service.\n\n▒1\n▒[ service dhcp-server ]\nStopping DHCP server daemon...\nStarting DHCP server daemon...\n\n▒1\nCommit failed\n", "failure": "1", "success": "1"}, "DELETE": {"failure": "0", "success": "1"}, "SESSION_ID": "_redacted_", "SET": {"failure": "0", "success": "1"}}#012

 

 

My config.gateway.json file:

 

{
 "firewall": {
  "name": {
   "WAN_LOCAL": {
    "rule": {
     "20": {
      "action": "accept",
      "description": "Allow OpenVPN clients in",
      "destination": {
       "port": "1194"
      },
      "log": "enable",
      "protocol": "udp"
     }
    }
   }
  }
 },
 "interfaces": {
  "openvpn": {
   "vtun0": {
    "encryption": "aes256",
    "mode": "server",
    "server": {
     "push-route": "_redacted_",
     "push-route": "_redacted_",
     "name-server": "_redacted_",
     "subnet": "_redacted_"
    },
    "openvpn-option": [
     "--keepalive 10 30",
     "--comp-lzo",
     "--max-clients 5",
     "--client-to-client",
     "--tls-version-min 1.2",
     "--user nobody --group nogroup",
     "--verb 1",
     "--proto udp",
     "--port 1194",
     "--dev tun",
     "--topology subnet",
     "--ifconfig-pool-persist /config/openvpn/ipp.txt",
     "--tls-auth /config/auth/ta.key 0",
     "--auth SHA384",
     "--cipher AES-256-CBC",
     "--persist-key",
     "--persist-tun",
     "--tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384",
     "--remote-cert-tls client",
     "--push redirect-gateway def1"
    ],
    "tls": {
     "ca-cert-file": "/config/auth/ca.crt",
     "cert-file": "/config/auth/server.crt",
     "dh-file": "/config/auth/dh2048.pem",
     "key-file": "/config/auth/server.key"
    }
   }
  }
 },
 "service": {
  "nat": {
   "rule": {
    "5010": {
     "description": "Masquerade for WAN",
     "outbound-interface": "eth0",
     "type": "masquerade"
    }
   }
  }
 }
}

 

My vars file:

# easy-rsa parameter settings

# NOTE: If you installed from an RPM,
# don't edit this file in place in
# /usr/share/openvpn/easy-rsa --
# instead, you should copy the whole
# easy-rsa directory to another location
# (such as /etc/openvpn) so that your
# edits will not be wiped out by a future
# OpenVPN package upgrade.

# This variable should point to
# the top level of the easy-rsa
# tree.
export EASY_RSA="`pwd`"

#
# This variable should point to
# the requested executables
#
export OPENSSL="openssl"
export PKCS11TOOL="pkcs11-tool"
export GREP="grep"


# This variable should point to
# the openssl.cnf file included
# with easy-rsa.
export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`

# Edit this variable to point to
# your soon-to-be-created key
# directory.
#
# WARNING: clean-all will do
# a rm -rf on this directory
# so make sure you define
# it correctly!
export KEY_DIR="$EASY_RSA/keys"

# Issue rm -rf warning
echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR

# PKCS11 fixes
export PKCS11_MODULE_PATH="dummy"
export PKCS11_PIN="dummy"

# Increase this to 2048 if you
# are paranoid.  This will slow
# down TLS negotiation performance
# as well as the one-time DH parms
# generation process.
export KEY_SIZE=2048

# In how many days should the root CA key expire?
export CA_EXPIRE=36500 <--- also tried just 3650

# In how many days should certificates expire?
export KEY_EXPIRE=36500 <--- also tried just 3650

# These are the default values for fields
# which will be placed in the certificate.
# Don't leave any of these fields blank.
export KEY_COUNTRY="changeme"
export KEY_PROVINCE="changeme"
export KEY_CITY="changeme"
export KEY_ORG="changeme"
export KEY_EMAIL="changeme"
export KEY_OU="changeme"

# X509 Subject Field
export KEY_NAME="EasyRSA"

# PKCS11 Smart Card
# export PKCS11_MODULE_PATH="/usr/lib/changeme.so"
# export PKCS11_PIN=1234

# If you'd like to sign all keys with the same Common Name, uncomment the KEY_CN export below
# You will also need to make sure your OpenVPN server config has the duplicate-cn option set
# export KEY_CN="CommonName"

# Custom <--- also tried without these custom fields
export KEY_DN="org"
export KEY_NS_SUPPORT="no"
export KEY_DIGEST="sha256"

 

Things I've tried:

  • Place the files directly on the USG in the /config/auth folder
  • Regenerated the certificates from scratch using easy-rsa on my Raspberry-Pi
  • Convert from crt to all pem files
  • Verified that the CA=true is set on the CA certificate
  • Manually added the configuration on the command line instead of using the JSON file and setting --verb 7. This resulted in the same error with no additional information to help with the debugging.

Can anyone help me get this to work or at least figure out with me why he concludes my cert is invalid. Is it just simply not finding it, am I doing something wrong? Is there a way to make logging show me more then just invalid?

 

Any help is greatly appriciated.

 

Regards,
Excorio

 

New Member
Posts: 3
Registered: ‎04-17-2019

Re: OpenVPN configuration error: Specified ca-cert-file "/config/auth/ca.crt" is not valid

Does anyone have any idea what I'm doing wrong or what is wrong with the ca certificate. Or does anyone have any way for me to debug this better?

 

Regards,

Excorio

Highlighted
New Member
Posts: 3
Registered: ‎04-17-2019

Re: OpenVPN configuration error: Specified ca-cert-file "/config/auth/ca.crt" is not valid

Is there no one who can assist me in getting this solved? Even explaining me how I can get more verbose logging so I can figure out what is wrong with the CA I'll most likely be able to solve it on my own.

 

Regards,

Excorio

Emerging Member
Posts: 82
Registered: ‎08-08-2017
Kudos: 12
Solutions: 1

Re: OpenVPN configuration error: Specified ca-cert-file "/config/auth/ca.crt" is not valid

How did you generate the ca.crt?  Was it with the most recent version of OpenVPN?

 

I have a ER8-XG, and a few months back, keys generated with OpenVPN veriosn 2.4 would not work on the some firmware versions.  It had to do with the disconnect between the version of OpenVPN on the router, and the version used to generate the crt.

 

You may be experiencing a similar problem.

 

Aside from that, check the ca.crt file format to make sure there aren't any extra characters...  or try to compact the crt file all into one line...

Emerging Member
Posts: 82
Registered: ‎08-08-2017
Kudos: 12
Solutions: 1

Re: OpenVPN configuration error: Specified ca-cert-file "/config/auth/ca.crt" is not valid

A few other things to try....

 

--auth SHA512

--cipher AES-256-GCM 

Emerging Member
Posts: 82
Registered: ‎08-08-2017
Kudos: 12
Solutions: 1

Re: OpenVPN configuration error: Specified ca-cert-file "/config/auth/ca.crt" is not valid

I think you have a CBC vs GCM disconnect in the statements below...


@excorio wrote:
     "--auth SHA384",
     "--cipher AES-256-CBC",
     "--persist-key",
     "--persist-tun",
     "--tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384",