where is the correct key file?
1,268 views
Skip to first unread message
ehayes
Jun 30, 2010, 1:52:36 PM6/30/10
to tunnelblick-discuss
Hi all, hopefully someone here can help. Yes, i am an engineer... but
I am IT impaired!
I am doing some work for a client which wants me to connect with
OpenVPN, and has sent me what is a tunnelblick conf file. I have that
all installed, I generated a csr for them, and got my cert back. But,
tunnelblick wants a .key file also.
my error:
2010-06-30 10:45:45 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2010-06-30 10:45:45 Cannot load private key file ehayes.key: error:
0B080074:x509 certificate routines:X509_check_private_key:key values
mismatch
2010-06-30 10:45:45 Error: private key password verification failed
Where do i get the correct key from?
Here's what I have tried:
- Exporting from Keychain Access... but, a .p12 file won't do it, i'm
pretty sure
- copy my id_rsa file from my .ssh folder & rename it ehayes.key
(that's the above error)
- Installed the Cert file they sent me back, which was accepted inside
of keychain, and shoes as a twisty private key & certificate pair...
If the key is there, how do I get access to it?
i'm stuck... and confused, because there are 4 private keys showing
in my Keys section of Keychain Access.
much thanks to anyone who can help! (i can owe you a beer!)
-eric
I am IT impaired!
I am doing some work for a client which wants me to connect with
OpenVPN, and has sent me what is a tunnelblick conf file. I have that
all installed, I generated a csr for them, and got my cert back. But,
tunnelblick wants a .key file also.
my error:
2010-06-30 10:45:45 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2010-06-30 10:45:45 Cannot load private key file ehayes.key: error:
0B080074:x509 certificate routines:X509_check_private_key:key values
mismatch
2010-06-30 10:45:45 Error: private key password verification failed
Where do i get the correct key from?
Here's what I have tried:
- Exporting from Keychain Access... but, a .p12 file won't do it, i'm
pretty sure
- copy my id_rsa file from my .ssh folder & rename it ehayes.key
(that's the above error)
- Installed the Cert file they sent me back, which was accepted inside
of keychain, and shoes as a twisty private key & certificate pair...
If the key is there, how do I get access to it?
i'm stuck... and confused, because there are 4 private keys showing
in my Keys section of Keychain Access.
much thanks to anyone who can help! (i can owe you a beer!)
-eric
jkbull...gmail.com
Jun 30, 2010, 2:38:20 PM6/30/10
to tunnelblick-discuss
Can you clarify: Do you want to know where to GET the keys from? Or
where to PUT them once you have them?
Typically, you get the keys and certificates from whoever administers
the OpenVPN server. Depending on the configuration file, there may be
several .key, .crt, and .ca files.
OpenVPN does not read keys, certificates, etc. from the OS X Keychain.
It reads them from files, or, sometimes, from within the configuration
file itself.
Example:
Four files are specified in the configuration file as:
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
The four files (ca.crt, client1.crt, client1.key, and ta.key) would
all go in the same folder as the configuration file, typically /Users/
username/Library/Application Support/Tunnelblick/Configurations.
where to PUT them once you have them?
Typically, you get the keys and certificates from whoever administers
the OpenVPN server. Depending on the configuration file, there may be
several .key, .crt, and .ca files.
OpenVPN does not read keys, certificates, etc. from the OS X Keychain.
It reads them from files, or, sometimes, from within the configuration
file itself.
Example:
Four files are specified in the configuration file as:
ca ca.crt
cert client1.crt
key client1.key
tls-auth ta.key 1
The four files (ca.crt, client1.crt, client1.key, and ta.key) would
all go in the same folder as the configuration file, typically /Users/
username/Library/Application Support/Tunnelblick/Configurations.
ehayes
Jun 30, 2010, 3:31:23 PM6/30/10
to tunnelblick-discuss
Thanks for the response!
I think i have TunnelBlick correctly installed, and configured
correctly with their .conf file.
I am putting the files in the Configurations folder, so I'm pretty
sure that is good.
I found a way to convert my private key (from a .p12 to a PEM), and
now am getting prompted for a VPN passphrase (seems like progress)
Here's a somewhat obscured version of the conf file
client
;dev tap
dev tun
proto udp
remote xxx.xxx.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert ehayes.crt
key ehayes.key
comp-lzo
verb 3
route xxx.xxx.xxx.xxx 255.255.255.0
route xxx.xxx.xxx.xxx 255.255.255.0
And this error:
2010-06-30 12:00:38 Cannot load CA certificate file ca.crt path (null)
(SSL_CTX_load_verify_locations): error:02001002:system
library:fopen:No such file or directory: error:2006D080:BIO
routines:BIO_new_file:no such file: error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib
Is this passphrase something I am supposed to know? or am i missing a
cert athority cert? I'll hit them up when it isn't 8PM their time.
Thanks for the the help!!!
I think i have TunnelBlick correctly installed, and configured
correctly with their .conf file.
I am putting the files in the Configurations folder, so I'm pretty
sure that is good.
I found a way to convert my private key (from a .p12 to a PEM), and
now am getting prompted for a VPN passphrase (seems like progress)
Here's a somewhat obscured version of the conf file
client
;dev tap
dev tun
proto udp
remote xxx.xxx.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert ehayes.crt
key ehayes.key
comp-lzo
verb 3
route xxx.xxx.xxx.xxx 255.255.255.0
route xxx.xxx.xxx.xxx 255.255.255.0
And this error:
2010-06-30 12:00:38 Cannot load CA certificate file ca.crt path (null)
(SSL_CTX_load_verify_locations): error:02001002:system
library:fopen:No such file or directory: error:2006D080:BIO
routines:BIO_new_file:no such file: error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system lib
Is this passphrase something I am supposed to know? or am i missing a
cert athority cert? I'll hit them up when it isn't 8PM their time.
Thanks for the the help!!!
jkbull...gmail.com
Jun 30, 2010, 3:44:09 PM6/30/10
to tunnelblick-discuss
Your configuration file specifies that you should have three files,
ca.crt, ehayes.crt, and ehays.key, in the same folder as the
configuration file:
> ca ca.crt
> cert ehayes.crt
> key ehayes.key
From the error message in the log:
> 2010-06-30 12:00:38 Cannot load CA certificate file ca.crt path (null)
> (SSL_CTX_load_verify_locations): error:02001002:system
> library:fopen:No such file or directory: error:2006D080:BIO
> routines:BIO_new_file:no such file: error:0B084002:x509 certificate
> routines:X509_load_cert_crl_file:system lib
OpenVPN isn't finding the CA certificate file ca.crt. So you need to
put that file in the folder. You should get it from your client if
they haven't already sent it to you.
Good luck, and please let us know when you get it working or if you
have more questions.
ca.crt, ehayes.crt, and ehays.key, in the same folder as the
configuration file:
> ca ca.crt
> cert ehayes.crt
> key ehayes.key
> 2010-06-30 12:00:38 Cannot load CA certificate file ca.crt path (null)
> (SSL_CTX_load_verify_locations): error:02001002:system
> library:fopen:No such file or directory: error:2006D080:BIO
> routines:BIO_new_file:no such file: error:0B084002:x509 certificate
> routines:X509_load_cert_crl_file:system lib
put that file in the folder. You should get it from your client if
they haven't already sent it to you.
Good luck, and please let us know when you get it working or if you
have more questions.
ehayes
Jun 30, 2010, 5:15:54 PM6/30/10
to tunnelblick-discuss
thank you!!! will do!
Reply all
Reply to author
Forward
0 new messages