Cannot load private key file my.key: error:06065064:digital envelope
5,548 views
Skip to first unread message
Uwe
May 31, 2011, 12:08:57 AM5/31/11
to tunnelblick-discuss
Hi,
I'm having trouble getting a new openvpn installation running with
tunnelblick. I'm not sure what's wrong.
1rst, when I copy my configuration files into Library/openvpn the file
permissions do not get updated as earlier. In earlier openvpn configs
I see that the *.conf file is changed with extended file attributes.
this does not happen now. I don't know if this correct or not. The
permissions are below:
Uwes-MacBook-Pro:openvpn uwe$ ls -la provider1
total 40
drwx------ 7 uwe staff 238 30 Mai 21:55 .
drwxr-xr-x 17 uwe staff 578 31 Mai 05:53 ..
-rw-r--r-- 1 root wheel 333 30 Mai 21:55 myipaddress.conf
-rw-r--r-- 1 uwe staff 1334 30 Mai 21:55 ca.crt
-rw-r--r-- 1 uwe staff 3913 30 Mai 21:55 my.crt
-rw------- 1 uwe staff 951 30 Mai 21:55 my.key
-rw-r--r-- 1 uwe staff 54 30 Mai 21:55 vpn-start-
myipaddress.bat
My logfile looks currently like this:
2011-05-31 05:42:38 *Tunnelblick: OS X 10.5.8; Tunnelblick 3.1.7
(build 2190.2413); OpenVPN 2.1.4
2011-05-31 05:42:39 *Tunnelblick: Attempting connection with
myipaddress; Set nameserver = 1; monitoring connection
2011-05-31 05:42:39 *Tunnelblick: /Applications/Tunnelblick.app/
Contents/Resources/openvpnstart start 89.151.66.233.conf 1338 1 0 0 0
49
2011-05-31 05:42:40 *Tunnelblick: kextload: /Applications/
Tunnelblick.app/Contents/Resources/tun.kext loaded successfully
2011-05-31 05:42:39 *Tunnelblick: openvpnstart: /Applications/
Tunnelblick.app/Contents/Resources/openvpn --cd /Users/uwe/Library/
Application Support/Tunnelblick/Configurations --daemon --management
127.0.0.1 1338 --config /Users/uwe/Library/Application Support/
Tunnelblick/Configurations/myipaddress.conf --log /Library/Application
Support/Tunnelblick/Logs/-SUsers-Suwe-SLibrary-SApplication Support-
STunnelblick-SConfigurations-Smy.conf.1_0_0_0_49.1338.openvpn.log --
management-query-passwords --management-hold --script-security 2 --up /
Applications/Tunnelblick.app/Contents/Resources/
client.up.tunnelblick.sh -m -w -d --down /Applications/Tunnelblick.app/
Contents/Resources/client.down.tunnelblick.sh -m -w -d --up-restart
2011-05-31 05:42:40 OpenVPN 2.1.4 i386-apple-darwin10.7.1 [SSL] [LZO2]
[PKCS11] built on Mar 1 2011
2011-05-31 05:42:40 MANAGEMENT: TCP Socket listening on 127.0.0.1:1338
2011-05-31 05:42:40 Need hold release from management interface,
waiting...
2011-05-31 05:42:40 MANAGEMENT: Client connected from 127.0.0.1:1338
2011-05-31 05:42:40 MANAGEMENT: CMD 'pid'
2011-05-31 05:42:40 MANAGEMENT: CMD 'state on'
2011-05-31 05:42:40 MANAGEMENT: CMD 'state'
2011-05-31 05:42:40 MANAGEMENT: CMD 'hold release'
2011-05-31 05:42:40 WARNING: No server certificate verification method
has been enabled. See http://openvpn.net/howto.html#mitm for more
info.
2011-05-31 05:42:40 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2011-05-31 05:42:40 MANAGEMENT: CMD 'password [...]'
2011-05-31 05:42:40 WARNING: this configuration may cache passwords in
memory -- use the auth-nocache option to prevent this
2011-05-31 05:42:40 Cannot load private key file my.key: error:
06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:
error:0906A065:PEM routines:PEM_do_header:bad decrypt: error:
140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
2011-05-31 05:42:40 MANAGEMENT: Client disconnected
2011-05-31 05:42:40 Error: private key password verification failed
2011-05-31 05:42:40 Exiting
2011-05-31 05:42:40 *Tunnelblick: Obtained VPN passphrase from the
Keychain
2011-05-31 05:42:40 *Tunnelblick: Flushed the DNS cache
I checked earlier threads that seemed to lead to mismatched passwords
but my password is correct - I checked that with 'openssl rsa -in
Library/openvpn/provider1/my.key -noout -text'
tunnelblick currently does not try to send any traffic to my vpn
server.
when I use a copy of file ca.crt, my.key, my.crt from another working
config then tunnelblick accepts the keys and starts sending traffic to
the openvpn server, but of course with the wrong key files which fail
naturally.
So I'm lost.
My tunnelblick app works fine with other configs.
my key works fine with the openssl binary.
But alltogether is failing.
any help is appreciated.
best regards,
Uwe
I'm having trouble getting a new openvpn installation running with
tunnelblick. I'm not sure what's wrong.
1rst, when I copy my configuration files into Library/openvpn the file
permissions do not get updated as earlier. In earlier openvpn configs
I see that the *.conf file is changed with extended file attributes.
this does not happen now. I don't know if this correct or not. The
permissions are below:
Uwes-MacBook-Pro:openvpn uwe$ ls -la provider1
total 40
drwx------ 7 uwe staff 238 30 Mai 21:55 .
drwxr-xr-x 17 uwe staff 578 31 Mai 05:53 ..
-rw-r--r-- 1 root wheel 333 30 Mai 21:55 myipaddress.conf
-rw-r--r-- 1 uwe staff 1334 30 Mai 21:55 ca.crt
-rw-r--r-- 1 uwe staff 3913 30 Mai 21:55 my.crt
-rw------- 1 uwe staff 951 30 Mai 21:55 my.key
-rw-r--r-- 1 uwe staff 54 30 Mai 21:55 vpn-start-
myipaddress.bat
My logfile looks currently like this:
2011-05-31 05:42:38 *Tunnelblick: OS X 10.5.8; Tunnelblick 3.1.7
(build 2190.2413); OpenVPN 2.1.4
2011-05-31 05:42:39 *Tunnelblick: Attempting connection with
myipaddress; Set nameserver = 1; monitoring connection
2011-05-31 05:42:39 *Tunnelblick: /Applications/Tunnelblick.app/
Contents/Resources/openvpnstart start 89.151.66.233.conf 1338 1 0 0 0
49
2011-05-31 05:42:40 *Tunnelblick: kextload: /Applications/
Tunnelblick.app/Contents/Resources/tun.kext loaded successfully
2011-05-31 05:42:39 *Tunnelblick: openvpnstart: /Applications/
Tunnelblick.app/Contents/Resources/openvpn --cd /Users/uwe/Library/
Application Support/Tunnelblick/Configurations --daemon --management
127.0.0.1 1338 --config /Users/uwe/Library/Application Support/
Tunnelblick/Configurations/myipaddress.conf --log /Library/Application
Support/Tunnelblick/Logs/-SUsers-Suwe-SLibrary-SApplication Support-
STunnelblick-SConfigurations-Smy.conf.1_0_0_0_49.1338.openvpn.log --
management-query-passwords --management-hold --script-security 2 --up /
Applications/Tunnelblick.app/Contents/Resources/
client.up.tunnelblick.sh -m -w -d --down /Applications/Tunnelblick.app/
Contents/Resources/client.down.tunnelblick.sh -m -w -d --up-restart
2011-05-31 05:42:40 OpenVPN 2.1.4 i386-apple-darwin10.7.1 [SSL] [LZO2]
[PKCS11] built on Mar 1 2011
2011-05-31 05:42:40 MANAGEMENT: TCP Socket listening on 127.0.0.1:1338
2011-05-31 05:42:40 Need hold release from management interface,
waiting...
2011-05-31 05:42:40 MANAGEMENT: Client connected from 127.0.0.1:1338
2011-05-31 05:42:40 MANAGEMENT: CMD 'pid'
2011-05-31 05:42:40 MANAGEMENT: CMD 'state on'
2011-05-31 05:42:40 MANAGEMENT: CMD 'state'
2011-05-31 05:42:40 MANAGEMENT: CMD 'hold release'
2011-05-31 05:42:40 WARNING: No server certificate verification method
has been enabled. See http://openvpn.net/howto.html#mitm for more
info.
2011-05-31 05:42:40 NOTE: the current --script-security setting may
allow this configuration to call user-defined scripts
2011-05-31 05:42:40 MANAGEMENT: CMD 'password [...]'
2011-05-31 05:42:40 WARNING: this configuration may cache passwords in
memory -- use the auth-nocache option to prevent this
2011-05-31 05:42:40 Cannot load private key file my.key: error:
06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:
error:0906A065:PEM routines:PEM_do_header:bad decrypt: error:
140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
2011-05-31 05:42:40 MANAGEMENT: Client disconnected
2011-05-31 05:42:40 Error: private key password verification failed
2011-05-31 05:42:40 Exiting
2011-05-31 05:42:40 *Tunnelblick: Obtained VPN passphrase from the
Keychain
2011-05-31 05:42:40 *Tunnelblick: Flushed the DNS cache
I checked earlier threads that seemed to lead to mismatched passwords
but my password is correct - I checked that with 'openssl rsa -in
Library/openvpn/provider1/my.key -noout -text'
tunnelblick currently does not try to send any traffic to my vpn
server.
when I use a copy of file ca.crt, my.key, my.crt from another working
config then tunnelblick accepts the keys and starts sending traffic to
the openvpn server, but of course with the wrong key files which fail
naturally.
So I'm lost.
My tunnelblick app works fine with other configs.
my key works fine with the openssl binary.
But alltogether is failing.
any help is appreciated.
best regards,
Uwe
jkbull...gmail.com
May 31, 2011, 12:40:20 AM5/31/11
to tunnelbli...@googlegroups.com
Thanks for your complete report.
The permissions are fine; no "extended attributes" are needed on any of the files.
I think that the problem is that Tunnelblick is getting the private key password from the Keychain, but apparently the value stored in the Keychain is incorrect. So when OpenVPN tries to decrypt the private key file using the (wrong) private key password, the decryption fails.
If so, this is similar to the problem at https://groups.google.com/d/topic/tunnelblick-discuss/YS1jPVlODCs/discussion (which was for a username/password that Tunnelblick got from the Keychain, not a private key, but the idea is the same).
Either remove the problematic Keychain entries as described in the second post in the above thread, or try Tunnelblick 3.2beta14, which fixes the bug that causes 3.1.7 to fail to inform you about the incorrect private key and help you fix it.
There have been more than 3000 downloads of 3.2beta14 and no major problems have been reported, so you can probably install and use that.
Or you can try 3.2beta14 without disturbing your existing Tunnelblick installation:
- Download the 3.2beta14 .dmg from the Downloads page
- Double-click the .dmg
- Drag the Tunnelblick icon to the Desktop
- Double-click it to run it from there (leaving your existing 3.1.7 in /Applications).
When you try to connect, you should get a window saying the private key was bad. Click "Try with different credentials" (or something like that). After you successfully connect and have saved the (correct) private key in the Keychain, you can quit Tunnelblick, and run your Tunnelblick 3.1.7 from /Applications. Assuming that works too (it should), you can then put the 3.2beta14 version in the Trash.
Please report back success, or ask for more help if this doesn't work. If you do need more help, please post your configuration file, too. X out any sensitive info (like IP addresses).
Uwe
Jun 1, 2011, 12:38:27 AM6/1/11
to tunnelblick-discuss
Hi,
Thanks for you answer :)
I double checked the password in my keychain. It is correct and I
deleted the password and started with a fresh password. I tried all
posibilies.
With 3.2beta14 tunnelblick tells me, that the password is wrong. I
again double checked the password in the keychain. And it is correct.
But I found something. I created my passphrase with a § at the end of
the string. If I use only characters like [a-zA-Z0-9] then it works
perfectly.
So someone in the chain of progs and libs cannot handle the character
§.
openssl was working with a passphrase containing the §.
Thanks for you help.
Uwe
On May 31, 6:40 am, "jkbull...gmail.com" <jkbull...@gmail.com> wrote:
> Thanks for your complete report.
>
> The permissions are fine; no "extended attributes" are needed on any of the
> files.
>
> I think that the problem is that Tunnelblick is getting the private key
> password from the Keychain, but apparently the value stored in the Keychain
> is incorrect. So when OpenVPN tries to decrypt the private key file using
> the (wrong) private key password, the decryption fails.
>
> If so, this is similar to the problem athttps://groups.google.com/d/topic/tunnelblick-discuss/YS1jPVlODCs/dis...(which
> page
> 2. Double-click the .dmg
> 3. Drag the Tunnelblick icon to the Desktop
> 4. Double-click it to run it from there (leaving your existing 3.1.7 in
Thanks for you answer :)
I double checked the password in my keychain. It is correct and I
deleted the password and started with a fresh password. I tried all
posibilies.
With 3.2beta14 tunnelblick tells me, that the password is wrong. I
again double checked the password in the keychain. And it is correct.
But I found something. I created my passphrase with a § at the end of
the string. If I use only characters like [a-zA-Z0-9] then it works
perfectly.
So someone in the chain of progs and libs cannot handle the character
§.
openssl was working with a passphrase containing the §.
Thanks for you help.
Uwe
On May 31, 6:40 am, "jkbull...gmail.com" <jkbull...@gmail.com> wrote:
> Thanks for your complete report.
>
> The permissions are fine; no "extended attributes" are needed on any of the
> files.
>
> I think that the problem is that Tunnelblick is getting the private key
> password from the Keychain, but apparently the value stored in the Keychain
> is incorrect. So when OpenVPN tries to decrypt the private key file using
> the (wrong) private key password, the decryption fails.
>
> was for a username/password that Tunnelblick got from the Keychain, not a
> private key, but the idea is the same).
>
> Either remove the problematic Keychain entries as described in the second
> post in the above thread, or try Tunnelblick 3.2beta14, which fixes the bug
> that causes 3.1.7 to fail to inform you about the incorrect private key and
> help you fix it.
>
> There have been more than 3000 downloads of 3.2beta14 and no major problems
> have been reported, so you can probably install and use that.
>
> Or you can try 3.2beta14 without disturbing your existing Tunnelblick
> installation:
>
> 1. Download the 3.2beta14 .dmg from the Downloads<http://code.google.com/p/tunnelblick/wiki/DownloadsEntry?tm=2>
> private key, but the idea is the same).
>
> Either remove the problematic Keychain entries as described in the second
> post in the above thread, or try Tunnelblick 3.2beta14, which fixes the bug
> that causes 3.1.7 to fail to inform you about the incorrect private key and
> help you fix it.
>
> There have been more than 3000 downloads of 3.2beta14 and no major problems
> have been reported, so you can probably install and use that.
>
> Or you can try 3.2beta14 without disturbing your existing Tunnelblick
> installation:
>
> page
> 2. Double-click the .dmg
> 3. Drag the Tunnelblick icon to the Desktop
> 4. Double-click it to run it from there (leaving your existing 3.1.7 in
jkbull...gmail.com
Jun 1, 2011, 7:24:15 AM6/1/11
to tunnelbli...@googlegroups.com
Thanks for tracking this down. I'll look into how Tunnelblick handles the data between the Keychain and OpenVPN.
jkbull...gmail.com
Jun 2, 2011, 9:09:12 AM6/2/11
to tunnelbli...@googlegroups.com
After some testing by Uwe (thanks!) of a version of Tunnelblick that treats the strings as UTF8 instead of Latin1, it looks like this will be difficult to figure out. Tunnelblick sends the password to OpenVPN, which then passes it on to an imbedded copy of OpenSSL (not the version you get from the command line).
I'm sorry but it is a relatively low priority because it affects so few users and can be worked around.
Until this is fixed, probably only printable ASCII characters can be in a username, password or private key. (But not the "extended" ASCII characters.)
Again, thanks to Uwe for help on this problem.
Reply all
Reply to author
Forward
0 new messages