OpenVPN SSL problem

vnico · July 5, 2015, 10:23am

I’m trying to set up a OpenVPN server in a brand new RB850Gx2 running RouterOS 6.29.1 but I’m having problems with the SSL certificates.
The OpenVPN client is unable to verify the server certificate (issued by starttls).

RouterOS certificates (server, intermediate and root certficate):

[admin@vimes] /certificate> print
Flags: K - private-key, D - dsa, L - crl, C - smart-card-key, A - authority, I - issued, R - revoked, E - expired, T - trusted 
 #          NAME               COMMON-NAME               SUBJECT-ALT-NAME                                            FINGERPRINT              
 0 K L    T cert_2             vimes.XXXXX.net      DNS:vimes.XXXXX.net                                    25eb5da4dd61e6eca4b45f...
 1   L A  T ca_4               StartCom Class 1 Prima...                                                             24a04b44b0e07752c1ceb7...
 2   L A  T ca_5               StartCom Certification...                                                             c766a9bef2d4071c863a31...

OpenVPN client log:

Sun Jul  5 12:16:52 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Enter Auth Username:foo
Enter Auth Password:
Sun Jul  5 12:16:54 2015 Attempting to establish TCP connection with [AF_INET]XXX.YYY.ZZZ.XXX:443 [nonblock]
Sun Jul  5 12:16:55 2015 TCP connection established with [AF_INET]XXX.YYY.ZZZ.XXX:443
Sun Jul  5 12:16:55 2015 TCPv4_CLIENT link local: [undef]
Sun Jul  5 12:16:55 2015 TCPv4_CLIENT link remote: [AF_INET]XXX.YYY.ZZZ.XXX:443
Sun Jul  5 12:16:55 2015 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Jul  5 12:16:56 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Sun Jul  5 12:16:56 2015 TLS Error: TLS object -> incoming plaintext read error
Sun Jul  5 12:16:56 2015 TLS Error: TLS handshake failed

And OpenSSL s_client output:

CONNECTED(00000003)
139914755479200:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 295 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

As it can be seen in the openssl s_client -connect output the VPN server isn’t sending the certificate chain.

Using OpenSSL I am able to verify successfully the certificate:

nico@mort:~/Downloads$ openssl verify -CAfile sub.class1.server.ca.pem ../vimes.XXXXX.net.crt 
../vimes.XXXXX.net.crt: OK

Any idea on how to proceed?