Deploying a VPN with PKI
Subject:   OpenVPN..openssl s_client -CAfile \
Date:   2006-10-26 16:49:08
From:   peteythapitbull
I've followed evrything to the letter and now I'm trying to run the test. The s_server is working. But when I type the following I get an error message. I don't understand why?

# openssl s_client -CAfile \
> CA-DB/cacert.pem -cert client1cert.pem -key client1key.pem
unable to get certificate from 'client1cert.pem'
31297:error:02001002:system library:fopen:No such file or directory:/usr/src/lib/libssl/src/crypto/bio/bss_file.c:278:fopen('client1cert.pem','r')
31297:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/lib/libssl/src/crypto/bio/bss_file.c:280:
31297:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:/usr/src/lib/libssl/src/ssl/ssl_rsa.c:515:

Thnx for any help or feed back

Full Threads Oldest First

Showing messages 1 through 2 of 2.

  • OpenVPN..openssl s_client -CAfile \
    2006-10-26 18:33:23  inyotech [View]

    I notice this in the above error message text:

    ... fopen:No such file or directory ... fopen('client1cert.pem','r')

    Maybe you can double check that the certificate file is in your current directory or use the full path on the command line?

    Hope this helps,

    Scott B
    • OpenVPN..openssl s_client -CAfile \
      2006-10-27 14:13:04  peteythapitbull [View]

      Thnx for your help...
      But I'm confused because I have just been following the instructions below:

      OpenSSL Test Framework

      Now, after we have issued a couple of user certificates, we can make sure that our procedures are all correct by taking advantage of the two test commands provided by the OpenSSL package. The programs s_server (secure server) and s_client (secure client) can exercise almost the entire library and their operation is straightforward.

      Start an OpenSSL secure server session in one terminal window. Start an OpenSSL secure client session in another. The client will contact the server using the SSL/TLS protocol at localhost using port 4433. You will be able to type messages into the console hosting the secure client and see them appear at the secure server. It will be immediately obvious if your certificates are not correct or there is a problem with your OpenSSL library installation.

      Here we start an OpenSSL secure server at the command line. For arguments, we include the server certificate and server private key. The argument -verify 1 causes the server to ask any connecting client to send a certificate for authentication. (Note that the output from these commands is more verbose than these trimmed code examples indicate.)

      [admin@tamarack admin]$ openssl s_server -cert vpncert.pem \
      > -key vpnkey.pem -verify 1
      verify depth is 1
      Using default temp DH parameters
      [admin@tamarack admin]$

      Now, in another console window, we start an OpenSSL secure client using the command argument -cert to provide a certificate to send to the server for authentication. The -key argument gives the private key to use when encrypting messages and the -CAfile argument points to the root certificate.

      [admin@tamarack admin]$ openssl s_client -CAfile \
      > CA-DB/cacert.pem -cert client1cert.pem -key client1key.pem
      Enter PEM pass phrase:
      [admin@tamarack admin]$

      When the connection attempt succeeds, you can send sample messages between the client and server by typing text into either secure endpoint. To quit the session, type Q in the terminal window.

      Now we know that our certificates can encrypt messages passed between two OpenSSL applications. However, we have not yet made sure that we can use our certificates with any arbitrary X.509-certificate-secured application. Adding the -WWW option to the s_server command will effectively create a secure web server that can serve any local file to a web-browsing client connecting using SSL/TLS. We will exercise this feature next.

      Some else suggested I type the full path but the file client1cert.pem doesn't exist. So I thought it was going to be created. just like the vpncert-req.pem file.

      Thnx again..I'm just a noob