Openvpn
帶有“不支持的目的”的openvpn客戶端證書錯誤
我按照這個 wiki 說明生成 OpenVPN 客戶端證書。這涉及:
easyrsa gen-req client1 nopass
我試圖在我的 OpenVPN 設置中使用這個 client1 證書。
192.168.0.2
伺服器日誌顯示以下日誌(注意:出於安全原因,IP地址從公共IP更改為):192.168.0.2:5570 TLS: Initial packet from [AF_INET]192.168.0.2:5570, sid=1e71335b cc13ec8f 192.168.0.2:5570 VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=client1 192.168.0.2:5570 OpenSSL: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed 192.168.0.2:5570 TLS_ERROR: BIO read tls_read_plaintext error 192.168.0.2:5570 TLS Error: TLS object -> incoming plaintext read error 192.168.0.2:5570 TLS Error: TLS handshake failed 192.168.0.2:5570 SIGUSR1[soft,tls-error] received, client-instance restarting
所以明確的錯誤應該是這樣的:
VERIFY ERROR: depth=0, error=unsupported certificate purpose: CN=client1
我用這個命令檢查了證書:
openssl x509 -in client1.crt -text -noout -purpose
證書用途部分的輸出如下所示:
Certificate purposes: SSL client : No SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : No CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Time Stamp signing : No Time Stamp signing CA : No
我的問題:
- 我的客戶證書有什麼問題?
- 我應該怎麼做才能生成正確的證書?
啟用的正確方法
nsCertType
是通過 easyrsavars
文件:# Support deprecated "Netscape" extensions? (choices "yes" or "no".) The default # is "no" to discourage use of deprecated extensions. If you require this # feature to use with --ns-cert-type, set this to "yes" here. This support # should be replaced with the more modern --remote-cert-tls feature. If you do # not use --ns-cert-type in your configs, it is safe (and recommended) to leave # this defined to "no". When set to "yes", server-signed certs get the # nsCertType=server attribute, and also get any NS_COMMENT defined below in the # nsComment field. #set_var EASYRSA_NS_SUPPORT "no" set_var EASYRSA_NS_SUPPORT "yes"
生成的證書具有以下用途:
X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Key Usage: Digital Signature Netscape Comment: Easy-RSA Generated Certificate Netscape Cert Type: SSL Client