Add valid ns-cert-type to sys-0-cert.pem for OpenVPN server (and Radius server)
Migrated from: https://tracker.clearos.com/view.php?id=21401
Reported by: NHowitt
From our OpenVPN configs "ns-cert-type server" is deprecated. See https://community.openvpn.net/openvpn/wiki/DeprecatedOptions.
"ns-cert-type" which will disappear in OpenVPN 2.5 (timing unknown). If used in 2.5, it will be remapped to "remote-cert-tls" when it will fail because of the sys-0-pem not containing the required extended key usage of "TLS Web Server Authentication". The solution in the short term is to regenerate the sys-0-pem with the additional EKU. Longer term, "ns-cert-type server" should also be changed to "remote-cert-tls server" in the client configs, but not until the certificate change is made.
In the client logs the error with "remote-cert-tls server" is:
Fri Sep 07 10:22:51 2018 VERIFY OK: depth=1, C=GB, L=Petersfield, O=ClearOS, OU=14 Upper Heyshott, CN=ca.server.howitts.lan, emailAddress=security@server.howitts.lan, O=Howitt Family, ST=Hampshire
Fri Sep 07 10:22:51 2018 VERIFY KU OK
Fri Sep 07 10:22:51 2018 Certificate does not have extended key usage extension
Fri Sep 07 10:22:51 2018 VERIFY EKU ERROR
Fri Sep 07 10:22:51 2018 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Fri Sep 07 10:22:51 2018 TLS_ERROR: BIO read tls_read_plaintext error
Fri Sep 07 10:22:51 2018 TLS Error: TLS object -> incoming plaintext read error
Fri Sep 07 10:22:51 2018 TLS Error: TLS handshake failed
Fri Sep 07 10:22:51 2018 Fatal TLS error (check_tls_errors_co), restarting
Note that the certificate issue could be triggered by a client update which is out of our control. This is especially so with Apple iOS/MacOS and Android products where you cannot ask the user to downgrade so we, ideally, should be ahead of the game. (0007951)
NickH (developer) 2018-09-08 03:05
As an aside, the EKU "TLS Web Server Authentication" is also required by the Radius Server cert for Win10 to authenticate. This change would then make the sys-0-cert directly usable in the Radius server. More info is in /etc/raddb/certs/README and the OIDs are in /etc/raddb/certs/xpextensions. (0008491)