Cannot load CA certificate file (ovpn and CA work on Windows but not Mac)

2,035 views
Skip to first unread message

Lonnie Haynes

unread,
Sep 5, 2015, 8:50:43 AM9/5/15
to tunnelbli...@googlegroups.com
This is my first experience using Tunnelbrick and OpenVPN on a Mac. I do have another operable VPN implementation (Witopia using Viscosity) on this machine which I have ensured in not active (e.g. no Witopia or Viscosity processes running) when I attempt to use Tunnelbrick.  Before posting, I searched "tunnelbrick-discuss" but found nothing to resolve my scenario which is:

I am using an ovpn, keys and certificates provided by a Service Provider and self-installed client VPN SW.   These were used to successfully connect on Windows 8 and Windows 10 machines (using OpenVPN directly) but fails with Tunnelbrick used on my MacBookPro.   The error message ("2015-09-04 18:00:33 Cannot load CA certificate file DWCdestinCA.crt (no entries were read) (OpenSSL)") seems to the error.   I have ensured that this file (along with the other two credentials files) are in the same directory with the supplied ovpn when I invoked Tunnelbrick to "process" the ovpn to create its client.tblk file.   I ensured that all the certificate files were included in the package contents of the resulting "~/Library/Application\ Support/Tunnelblick/Configurations/client.tblk".    Thinking that the certificate file might not be readable, I successfully verified the the file using "openssl x509 -in ~/Library/Application\ Support/Tunnelblick/Configurations/DWCdestinCA.crt -text -noout"  whose sanitized output is included after the Tunnelbrick Diagnostic Info attached below.    Since the certificate file is present and readable, I installed the beta build over the Latest Stable build to ensure I had the latest and greatest with the exact same result.

Any recommendations on next steps to resolve?   Thanks in advance for any/all suggestions. 


Tunnelbrick Diagnostic Info

*Tunnelblick: OS X 10.10.5; Tunnelblick 3.6beta08 (build 4371); prior version 3.5.3 (build 4270.4371); Admin user


Configuration client


"Sanitized" condensed configuration file for /Users/lhaynes/Library/Application Support/Tunnelblick/Configurations/client.tblk:


client

dev tun

remote ISP.VPN.IP 443

proto tcp-client

tls-client

ca DWCdestinCA.crt

cert lonniecert.crt

key lonniecert.key

auth-user-pass

pull

nobind

persist-key

verb 3

cipher AES-256-CBC

auth SHA1



================================================================================


Non-Apple kexts that are loaded:


Index Refs Address            Size       Wired      Name (Version) <Linked Against>

  109    0 0xffffff7f80e62000 0x5000     0x5000     net.telestream.driver.TelestreamAudio (1.0.5) <108 5 4 3 1>


================================================================================


There are no unusual files in client.tblk


================================================================================


Configuration preferences:


-keychainHasPrivateKey = 1

-keychainHasUsernameAndPassword = 1

-lastConnectionSucceeded = 0


================================================================================


Wildcard preferences:



================================================================================


Program preferences:


launchAtNextLogin = 1

notOKToCheckThatIPAddressDidNotChangeAfterConnection = 0

askedUserIfOKToCheckThatIPAddressDidNotChangeAfterConnection = 1

tunnelblickVersionHistory = (

    "3.6beta08 (build 4371)",

    "3.5.3 (build 4270.4371)"

)

lastLaunchTime = 463100412.30692

connectionWindowDisplayCriteria = showWhenConnecting

maxLogDisplaySize = 102400

installationUID (not shown)

keyboardShortcutIndex = 1

updateCheckAutomatically = 1

updateSendProfileInfo = 1

NSWindow Frame ConnectingWindow = 645 631 389 187 0 0 1680 1027 

detailsWindowFrameVersion = 4270.4371

detailsWindowFrame = {{185, 196}, {908, 467}}

detailsWindowLeftFrame = {{0, 0}, {163, 350}}

leftNavSelectedDisplayName = client

haveDealtWithSparkle1dot5b6 = 1

haveDealtWithOldTunTapPreferences = 1

haveDealtWithOldLoginItem = 1

SUEnableAutomaticChecks = 1

SUFeedURL = https://www.tunnelblick.net/appcast-b.rss

SUScheduledCheckInterval = 86400

SUSendProfileInfo = 1

SULastCheckTime = 2015-09-04 23:00:12 +0000

SULastProfileSubmissionDate = 2015-08-31 21:23:37 +0000

SUHasLaunchedBefore = 1

WebKitDefaultFontSize = 16

WebKitStandardFont = Times


================================================================================


Tunnelblick Log:


2015-09-04 18:00:30 *Tunnelblick: OS X 10.10.5; Tunnelblick 3.6beta08 (build 4371); prior version 3.5.3 (build 4270.4371)

2015-09-04 18:00:32 *Tunnelblick: Attempting connection with client using shadow copy; Set nameserver = 1; monitoring connection

2015-09-04 18:00:32 *Tunnelblick: openvpnstart start client.tblk 1337 1 0 1 0 16688 -ptADGNWradsgnw 2.3.6

2015-09-04 18:00:33 *Tunnelblick: openvpnstart log:

     OpenVPN started successfully. Command used to start OpenVPN (one argument per displayed line):

     

          /Applications/Tunnelblick.app/Contents/Resources/openvpn/openvpn-2.3.6/openvpn

          --daemon

          --log

          /Library/Application Support/Tunnelblick/Logs/-SUsers-Slhaynes-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sclient.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_16688.1337.openvpn.log

          --cd

          /Library/Application Support/Tunnelblick/Users/lhaynes/client.tblk/Contents/Resources

          --verb

          3

          --config

          /Library/Application Support/Tunnelblick/Users/lhaynes/client.tblk/Contents/Resources/config.ovpn

          --cd

          /Library/Application Support/Tunnelblick/Users/lhaynes/client.tblk/Contents/Resources

          --management

          127.0.0.1

          1337

          --management-query-passwords

          --management-hold

          --script-security

          2

          --up

          /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -d -f -m -w -ptADGNWradsgnw

          --down

          /Applications/Tunnelblick.app/Contents/Resources/client.down.tunnelblick.sh -d -f -m -w -ptADGNWradsgnw


2015-09-04 18:00:32 OpenVPN 2.3.6 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [PKCS11] [MH] [IPv6] built on Jul 10 2015

2015-09-04 18:00:32 library versions: OpenSSL 1.0.2d 9 Jul 2015, LZO 2.09

2015-09-04 18:00:32 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337

2015-09-04 18:00:32 Need hold release from management interface, waiting...

2015-09-04 18:00:32 *Tunnelblick: openvpnstart starting OpenVPN

2015-09-04 18:00:33 *Tunnelblick: Established communication with OpenVPN

2015-09-04 18:00:33 *Tunnelblick: Obtained VPN username and password from the Keychain

2015-09-04 18:00:33 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337

2015-09-04 18:00:33 MANAGEMENT: CMD 'pid'

2015-09-04 18:00:33 MANAGEMENT: CMD 'state on'

2015-09-04 18:00:33 MANAGEMENT: CMD 'state'

2015-09-04 18:00:33 MANAGEMENT: CMD 'bytecount 1'

2015-09-04 18:00:33 MANAGEMENT: CMD 'hold release'

2015-09-04 18:00:33 MANAGEMENT: CMD 'username "Auth" "sanitized"'

2015-09-04 18:00:33 MANAGEMENT: CMD 'password [...]'

2015-09-04 18:00:33 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.

2015-09-04 18:00:33 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts

2015-09-04 18:00:33 *Tunnelblick: Obtained VPN passphrase from the Keychain

2015-09-04 18:00:33 MANAGEMENT: CMD 'password [...]'

2015-09-04 18:00:33 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

2015-09-04 18:00:33 MANAGEMENT: Client disconnected

2015-09-04 18:00:33 Cannot load CA certificate file DWCdestinCA.crt (no entries were read) (OpenSSL)

2015-09-04 18:00:33 Exiting due to fatal error

2015-09-04 18:00:35 *Tunnelblick: No 'post-disconnect.sh' script to execute

2015-09-04 18:00:35 *Tunnelblick: Expected disconnection occurred.


================================================================================


"Sanitized" full configuration file


client

dev tun

remote ISP.VPN.IP 443

proto tcp-client

tls-client

ca DWCdestinCA.crt

cert lonniecert.crt

key lonniecert.key

auth-user-pass

pull

nobind

persist-key

verb 3

cipher AES-256-CBC

auth SHA1




================================================================================


ifconfig output:


lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

options=3<RXCSUM,TXCSUM>

inet6 ::1 prefixlen 128 

inet 127.0.0.1 netmask 0xff000000 

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 

nd6 options=1<PERFORMNUD>

gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

stf0: flags=0<> mtu 1280

en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether c8:bc:c8:d9:1a:2f 

inet6 fe80::cabc:c8ff:fed9:1a2f%en1 prefixlen 64 scopeid 0x4 

inet 172.16.1.102 netmask 0xffffff00 broadcast 172.16.1.255

nd6 options=1<PERFORMNUD>

media: autoselect

status: active

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

options=b<RXCSUM,TXCSUM,VLAN_HWTAGGING>

ether c8:bc:c8:90:7c:b0 

nd6 options=1<PERFORMNUD>

media: autoselect (none)

status: inactive

fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078

lladdr 78:ca:39:ff:fe:2f:b7:42 

nd6 options=1<PERFORMNUD>

media: autoselect <full-duplex>

status: inactive

p2p0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2304

ether 0a:bc:c8:d9:1a:2f 

media: autoselect

status: inactive


================================================================================


Console Log:


2015-09-04 16:51:54 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-09-04 16:51:54 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-09-04 16:51:54 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-09-04 16:51:54 tunnelblickd[5094] Status = 0 from tunnelblick-helper command 'compareShadowCopy client'

2015-09-04 16:52:11 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-09-04 16:52:11 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-09-04 16:52:11 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-09-04 16:52:11 tunnelblickd[5094] Status = 0 from tunnelblick-helper command 'compareShadowCopy client'

2015-09-04 16:52:12 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-09-04 16:52:12 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-09-04 16:52:12 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-09-04 16:52:12 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.800000 seconds...

2015-09-04 16:52:13 tunnelblickd[5094] Status = 0 from tunnelblick-helper command 'start client.tblk 1337 1 0 1 0 16688 -ptADGNWradsgnw 2.3.6'

2015-09-04 16:52:13 Tunnelblick[374] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'username'

2015-09-04 16:52:13 Tunnelblick[374] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'password'

2015-09-04 16:52:14 Tunnelblick[374] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'privateKey'

2015-09-04 16:52:15 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-09-04 16:52:15 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-09-04 16:52:16 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-09-04 16:52:16 tunnelblickd[5094] Status = 0 from tunnelblick-helper command 'postDisconnect client.tblk 1'

2015-09-04 16:53:49 Finder[245] OCContextMenuHandlers_addViewSpecificStuffToMenu 10.9 <NSMenu: 0x600003a7ba00>

                                       Title: Action

                                       Supermenu: 0x0 (None), autoenable: YES

                                       Items:     (

                                               "<NSMenuItem: 0x6080008a3240 >",

                                               "<TContextMenuItem: 0x6080004db580 New Folder>",

                                               "<TContextMenuItem: 0x6080004da9b0 Open>",

                                               "<TContextMenuItem: 0x6080006d2980 Open With, submenu: 0x6080022794c0 (Open With)>",

                                               "<TContextMenuItem: 0x6080004d7140 Always Open With, submenu: 0x608002e66280 (Always Open With)>",

                                               "<NSMenuItem: 0x6080008a2fa0 >",

                                               "<TContextMenuItem: 0x6080000da1d0 Move to Trash>",

                                               "<NSMenuItem: 0x6080006a0360 >",

                                               "<NSMenuItem: 0x6080006a7500 >",

                                               "<NSMenuItem: 0x6080008a0120 >",

                                               "<NSMenuItem: 0x6080004bd280 >",

                                               "<TContextMenuItem: 0x608000ec8b20 Get Info>",

                                               "<TContextMenuItem: 0x608000ec8a40 Show Inspector>",

                                               "<TContextMenuItem: 0x608000ec9450 Get Summary Info>",

                                               "<TContextMenuItem: 0x6080004ce8c0 Compress>",

                                               "<TContextMenuItem: 0x608000ec9d80 Burn to Disc\U2026>",

                                               "<TContextMenuItem: 0x6080006d7fb0 Duplicate>",

                                               "<TContextMenuItem: 0x608000ed2050 Duplicate Exactly>",

                                               "<TContextMenuItem: 0x6080004dcfc0 Make Alias>",

                                               "<TContextMenuItem: 0x608000ec9680 Quick Look \U201c-SUsers-Slhaynes-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sclient.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_16688.1337.openvpn.log\U201d>",

                                               "<TContextMenuItem: 0x6080006cecb0 Slideshow \U201c-SUsers-Slhaynes-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sclient.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_16688.1337.openvpn.log\U201d>",

                                               "<NSMenuItem: 0x6080004a6a80 >",

                                               "<TContextMenuItem: 0x6080004ce3f0 Copy \U201c-SUsers-Slhaynes-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sclient.tblk-SContents-SResources-Sconfig.ovpn.1_0_1_0_16688.1337.openvpn.log\U201d>",

                                               "<NSMenuItem: 0x6080006b0080 >",

                                               "<NSMenuItem: 0x6080008b61a0 Arrange By, submenu: 0x600000873940 ()>",

                                               "<NSMenuItem: 0x6080006a7200 Sort By, submenu: 0x60000146a380 ()>"

                                           ) <TListView: 0x7fa3fa750d80> <TListViewController: 0x7fa3fc87c280> 4

2015-09-04 16:55:07 Finder[245] OCContextMenuHandlers_addViewSpecificStuffToMenu 10.9 <NSMenu: 0x600003a7ba00>

                                       Title: Action

                                       Supermenu: 0x0 (None), autoenable: YES

                                       Items:     (

                                               "<NSMenuItem: 0x600000ab5c00 >",

                                               "<TContextMenuItem: 0x600000ac6dd0 New Folder>",

                                               "<TContextMenuItem: 0x6000008d3940 Open>",

                                               "<TContextMenuItem: 0x6000006dd8f0 Open With, submenu: 0x600001e68800 (Open With)>",

                                               "<TContextMenuItem: 0x6000002d3ef0 Always Open With, submenu: 0x600003e79080 (Always Open With)>",

                                               "<NSMenuItem: 0x600000ab1c40 >",

                                               "<TContextMenuItem: 0x6000000d6f80 Move to Trash>",

                                               "<NSMenuItem: 0x6000008bae20 >",

                                               "<NSMenuItem: 0x600000ab6e00 >",

                                               "<NSMenuItem: 0x600000ab3980 >",

                                               "<NSMenuItem: 0x600000ab03e0 >",

                                               "<TContextMenuItem: 0x600000ac2f40 Get Info>",

                                               "<TContextMenuItem: 0x600000ac3020 Show Inspector>",

                                               "<TContextMenuItem: 0x600000ac4130 Get Summary Info>",

                                               "<TContextMenuItem: 0x6000006d84f0 Compress>",

                                               "<TContextMenuItem: 0x6000006d9d00 Burn to Disc\U2026>",

                                               "<TContextMenuItem: 0x600000acc9b0 Duplicate>",

                                               "<TContextMenuItem: 0x6000008d1020 Duplicate Exactly>",

                                               "<TContextMenuItem: 0x600000ac63c0 Make Alias>",

                                               "<TContextMenuItem: 0x6000008d1090 Quick Look \U201c-SUsers-Slhaynes-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sclient.tblk-SContents-SResources-Sconfig.ovpn.script.log\U201d>",

                                               "<TContextMenuItem: 0x600000ac33a0 Slideshow \U201c-SUsers-Slhaynes-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sclient.tblk-SContents-SResources-Sconfig.ovpn.script.log\U201d>",

                                               "<NSMenuItem: 0x600000ab32c0 >",

                                               "<TContextMenuItem: 0x6000008ddab0 Copy \U201c-SUsers-Slhaynes-SLibrary-SApplication Support-STunnelblick-SConfigurations-Sclient.tblk-SContents-SResources-Sconfig.ovpn.script.log\U201d>",

                                               "<NSMenuItem: 0x600000ab2480 >",

                                               "<NSMenuItem: 0x6000008a7bc0 Arrange By, submenu: 0x600000873940 ()>",

                                               "<NSMenuItem: 0x600000ab4ca0 Sort By, submenu: 0x60000146a380 ()>"

                                           ) <TListView: 0x7fa3fa750d80> <TListViewController: 0x7fa3fc87c280> 4

2015-09-04 17:02:06 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-09-04 17:02:06 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-09-04 17:02:06 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-09-04 17:02:06 tunnelblickd[5160] Status = 0 from tunnelblick-helper command 'compareShadowCopy client'

2015-09-04 17:02:07 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-09-04 17:02:07 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-09-04 17:02:07 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-09-04 17:02:07 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.800000 seconds...

2015-09-04 17:02:08 tunnelblickd[5160] Status = 0 from tunnelblick-helper command 'start client.tblk 1337 1 0 1 0 16688 -ptADGNWradsgnw 2.3.6'

2015-09-04 17:02:08 Tunnelblick[374] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'username'

2015-09-04 17:02:08 Tunnelblick[374] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'password'

2015-09-04 17:02:08 Tunnelblick[374] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'privateKey'

2015-09-04 17:02:10 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-09-04 17:02:10 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-09-04 17:02:10 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-09-04 17:02:10 tunnelblickd[5160] Status = 0 from tunnelblick-helper command 'postDisconnect client.tblk 1'

2015-09-04 17:23:27 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-09-04 17:23:27 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-09-04 17:23:27 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-09-04 17:23:27 tunnelblickd[5219] Status = 0 from tunnelblick-helper command 'compareShadowCopy client'

2015-09-04 17:36:19 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-09-04 17:36:19 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-09-04 17:36:19 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-09-04 17:36:19 tunnelblickd[5249] Status = 0 from tunnelblick-helper command 'compareShadowCopy client'

2015-09-04 17:36:20 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-09-04 17:36:20 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-09-04 17:36:20 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-09-04 17:36:20 tunnelblickd[5249] Status = 0 from tunnelblick-helper command 'printSanitizedConfigurationFile client.tblk 0'

2015-09-04 17:36:20 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-09-04 17:36:20 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-09-04 17:36:21 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-09-04 17:36:21 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.800000 seconds...

2015-09-04 17:36:21 tunnelblickd[5249] Status = 0 from tunnelblick-helper command 'start client.tblk 1337 1 0 1 0 16688 -ptADGNWradsgnw 2.3.6'

2015-09-04 17:36:22 Tunnelblick[374] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'username'

2015-09-04 17:36:22 Tunnelblick[374] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'password'

2015-09-04 17:36:22 Tunnelblick[374] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'privateKey'

2015-09-04 17:36:24 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-09-04 17:36:24 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-09-04 17:36:24 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-09-04 17:36:24 tunnelblickd[5249] Status = 0 from tunnelblick-helper command 'postDisconnect client.tblk 1'

2015-09-04 17:39:08 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-09-04 17:39:08 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-09-04 17:39:08 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-09-04 17:39:09 tunnelblickd[5268] Status = 0 from tunnelblick-helper command 'compareShadowCopy client'

2015-09-04 17:39:09 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-09-04 17:39:09 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-09-04 17:39:09 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-09-04 17:39:10 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.800000 seconds...

2015-09-04 17:39:10 tunnelblickd[5268] Status = 0 from tunnelblick-helper command 'start client.tblk 1337 1 0 1 0 16688 -ptADGNWradsgnw 2.3.6'

2015-09-04 17:39:10 Tunnelblick[374] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'username'

2015-09-04 17:39:10 Tunnelblick[374] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'password'

2015-09-04 17:39:11 Tunnelblick[374] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'privateKey'

2015-09-04 17:39:12 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-09-04 17:39:12 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-09-04 17:39:13 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-09-04 17:39:13 tunnelblickd[5268] Status = 0 from tunnelblick-helper command 'postDisconnect client.tblk 1'

2015-09-04 17:59:21 kernel[0] hfs: mounted Tunnelblick on device disk5s1

2015-09-04 17:59:21 mds[60] (Volume.Normal:2464) volume:0x7fe9830c9000 ********** Bootstrapped Creating a default store:1 SpotLoc:(null) SpotVerLoc:(null) occlude:0 /Volumes/Tunnelblick

2015-09-04 17:59:34 Tunnelblick[5324] Tunnelblick cannot run when it is on /Volumes because the volume has the MNT_NOSUID statfs flag set.

2015-09-04 17:59:50 Tunnelblick[374] applicationShouldTerminate: termination because of Quit; delayed until 'shutdownTunnelblick' finishes

2015-09-04 17:59:51 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.100000 seconds...

2015-09-04 17:59:51 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.200000 seconds...

2015-09-04 17:59:51 Tunnelblick[374] runTunnelblickd: no data available from tunnelblickd socket; sleeping 0.400000 seconds...

2015-09-04 17:59:51 tunnelblickd[5336] Status = 0 from tunnelblick-helper command 'deleteLogs'

2015-09-04 17:59:51 Tunnelblick[374] Finished shutting down Tunnelblick; allowing termination

2015-09-04 17:59:58 Tunnelblick[5324] Beginning installation or repair

2015-09-04 17:59:58 authexec[5340] executing /Volumes/Tunnelblick/Tunnelblick.app/Contents/Resources/installer

2015-09-04 18:00:01 Tunnelblick[5324] Installation or repair succeeded; Log:

                                       Tunnelblick installer started 2015-09-04 17:59:58. 1 arguments: 0x0017

                                       Moved /Applications/Tunnelblick.app to the Trash

                                       Copied /Volumes/Tunnelblick/Tunnelblick.app to /Applications/Tunnelblick.app

                                       Changed ownership of /Applications/Tunnelblick.app and its contents from 501:20 to 0:0

                                       Changed permissions from 644 to 740 on /Users/lhaynes/Library/Application Support/Tunnelblick/Configurations/.DS_Store

                                       Changed permissions from 644 to 740 on /Users/lhaynes/Library/Application Support/Tunnelblick/Configurations/DWCdestinCA.crt

                                       Changed permissions from 644 to 740 on /Users/lhaynes/Library/Application Support/Tunnelblick/Configurations/lonniecert.crt

                                       Changed permissions from 644 to 740 on /Users/lhaynes/Library/Application Support/Tunnelblick/Configurations/lonniecert.key

                                       Used launchctl to load tunnelblickd

                                       Tunnelblick installer finished without error

2015-09-04 18:00:10 Tunnelblick[5324] applicationShouldTerminate: termination because of Quit; delayed until 'shutdownTunnelblick' finishes

2015-09-04 18:00:10 Tunnelblick[5324] Finished shutting down Tunnelblick; allowing termination

2015-09-04 18:00:11 Tunnelblick[5349] Set program update feedURL to https://www.tunnelblick.net/appcast-b.rss

2015-09-04 18:00:12 Tunnelblick[5349] DEBUG: Updater: systemVersion 10.10.5 satisfies minimumSystemVersion 10.4.0

2015-09-04 18:00:12 Tunnelblick[5349] DEBUG: Updater: systemVersion 10.10.5 satisfies minimumSystemVersion 10.4.0

2015-09-04 18:00:33 Tunnelblick[5349] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'username'

2015-09-04 18:00:33 Tunnelblick[5349] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'password'

2015-09-04 18:00:33 Tunnelblick[5349] Keychain item retrieved successfully for service = 'Tunnelblick-Auth-client' account = 'privateKey'


================================================================================


Sanitized output from OpenSSL x509 verification check:

 openssl x509 -in ~/Library/Application\ Support/Tunnelblick/Configurations/DWCdestinCA.crt -text -noout

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 1242450162 (0x4a0e48f2)

        Signature Algorithm: sha256WithRSAEncryption

        Issuer: CN=DWCdestinCA

        Validity

            Not Before: Aug 24 12:57:28 2015 GMT

            Not After : Aug 23 12:57:28 2016 GMT

        Subject: CN=DWCdestinCA

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

            RSA Public Key: (2048 bit)

                Modulus (2048 bit):

                    00:c5:99:51:ad:80:0b:a0:56:e6:a0:fd:d9:d7:11:

                       -----rest sanitized----

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Basic Constraints: critical

                CA:TRUE

            X509v3 Key Usage: critical

                Certificate Sign, CRL Sign

            X509v3 Subject Key Identifier: 

                46:82:17:1A:B7:39:7B:37:BE:2D:30:1D:EB:E2:83:80:CC:29:16:0F

            X509v3 CRL Distribution Points: 

                URI:http://sanitized/crl/1.crl


            Netscape Comment: 

                Generated by RouterOS

    Signature Algorithm: sha256WithRSAEncryption

        43:1c:ae:fb:9e:35:8c:44:09:45:27:a2:52:94:38:54:13:9d:

       -----rest sanitized----



jkbull...gmail.com

unread,
Sep 5, 2015, 9:11:28 AM9/5/15
to tunnelblick-discuss
Thanks for providing so much good information.
  • Try creating your own ".tblk" and installing it by double-clicking. That does more thorough checking of the files than when you double-click a ".ovpn". See Creating and Installing a Tunnelblick VPN Configuration. tldr: Put the relevant files in a folder on your desktop, name the folder client.tblk (assuming you want the configuration named "client"), and double-click it.
  • Is it possible that there are CR-LF line endings in the CA file? On OS X, the correct line ending is LF and each of OpenVPN, OpenSSL, and OS X sometimes have problems with files with CR-LF endings. (Or could there be other "invisible" characters that are confusing OpenVPN?)

  • The OS X "openssl" command is heavily patched by Apple and may not work the same as the version of the OpenSSL library which Tunnelblick uses (which is not patched). It's unlikely, but possible, that the Apple version allows CR-LF, or allows something else that is in the file that the Tunnelblick version objects to.

  • I'm not sure about this, but make sure "DWCdestinCA.crt" is an ASCII file (not a .pem or something). At or near the start it should have a line like
# -----BEGIN CERTIFICATE-----


On Saturday, September 5, 2015 at 8:50:43 AM UTC-4, Lonnie Haynes wrote:
This is my first experience using Tunnelbrick and OpenVPN on a Mac. I do have another operable VPN implementation (Witopia using Viscosity) on this machine which I have ensured in not active (e.g. no Witopia or Viscosity processes running) when I attempt to use Tunnelbrick.  Before posting, I searched "tunnelbrick-discuss" but found nothing to resolve my scenario which is:

I am using an ovpn, keys and certificates provided by a Service Provider and self-installed client VPN SW.   These were used to successfully connect on Windows 8 and Windows 10 machines (using OpenVPN directly) but fails with Tunnelbrick used on my MacBookPro.   The error message ("2015-09-04 18:00:33 Cannot load CA certificate file DWCdestinCA.crt (no entries were read) (OpenSSL)") seems to the error.   I have ensured that this file (along with the other two credentials files) are in the same directory with the supplied ovpn when I invoked Tunnelbrick to "process" the ovpn to create its client.tblk file.   I ensured that all the certificate files were included in the package contents of the resulting "~/Library/Application\ Support/Tunnelblick/Configurations/client.tblk".    Thinking that the certificate file might not be readable, I successfully verified the the file using "openssl x509 -in ~/Library/Application\ Support/Tunnelblick/Configurations/DWCdestinCA.crt -text -noout"  whose sanitized output is included after the Tunnelbrick Diagnostic Info attached below.    Since the certificate file is present and readable, I installed the beta build over the Latest Stable build to ensure I had the latest and greatest.    



Tunnelbrick Diagnostic Info

 openssl x509 -in /Users/lhaynes/Library/Application\ Support/Tunnelblick/Configurations/DWCdestinCA.crt -text -noout

                URI:http://108.161.217.30/crl/1.crl

Lonnie Haynes

unread,
Sep 5, 2015, 10:35:27 AM9/5/15
to tunnelblick-discuss
Thanks for the input.
1. Created my own .tblk as described in the link.   Same result (not reading CA file) but different message logged ("Options error: You must define CA file (--ca) or CA path (--capath)") but you can see from my first post that the ovpn file contains the "ca DWCdestinCA.crt" instruction.
2. In regards to your comment about the CR-LF in the CA file, how do I prove or disprove?    Textedit and Textwrangler both display the file without blank lines between the long string of characters between the "BEGIN CERTIFICATE" and "END CERTIFICATE" markers.  

Any other thoughts?

jkbull...gmail.com

unread,
Sep 5, 2015, 11:08:24 AM9/5/15
to tunnelblick-discuss
You could examine the file using a dump app such as Hex Fiend (a CR is "0D", a LF is "0A").

You can remove all CR characters in a file with the following command in /Applications/Utilities/Terminal:

tr -d \\r    < infile    > outfile


Replace infile and outfile with paths to the input and output files, respectively. For example:

tr -d \\r    < ~/Desktop/testin.txt    > ~/Desktop/testout.txt


...

Lonnie Haynes

unread,
Sep 5, 2015, 3:38:03 PM9/5/15
to tunnelblick-discuss
And that did the trick.  Many thanks, jkbull.

Not to anyone else on this same track.   The Mac OS standard text file editor (TextEdit) does not complain and displays the ca file just fine.   Only OpenVPN seems to mind.   At any rate, I am happy to be working now.
...
Reply all
Reply to author
Forward
0 new messages