How to properly configure SoftEtherVPN Server with purchased certificates?
This my dovecot:
openssl s_client -CApath /etc/ssl/certs/ -crlf -CAfile /etc/ssl/certs/ca-certificates.crt -connect mail.$MYDOMAIN:995
CONNECTED(00000003)
depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = $MYDOMAIN
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=$MYDOMAIN
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
Start Time: 1401404515
Timeout : 300 (sec)
Verify return code: 0 (ok)
This my apache:
openssl s_client -CApath /etc/ssl/certs/ -crlf -CAfile /etc/ssl/certs/ca-certificates.crt -connect www.$MYDOMAIN:443
CONNECTED(00000003)
depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = $MYDOMAIN
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=$MYDOMAIN
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Start Time: 1401404654
Timeout : 300 (sec)
Verify return code: 0 (ok)
I'm try like apache:
SSLCertificateFile /etc/comodo/client.crt
SSLCertificateKeyFile /etc/comodo/server.key
(That is, I took these certificate and key.)
openssl s_client -CApath /etc/ssl/certs/ -crlf -CAfile /etc/ssl/certs/ca-certificates.crt -connect softether.$MYDOMAIN:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = $MYDOMAIN
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = $MYDOMAIN
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = $MYDOMAIN
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=$MYDOMAIN
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
Verify return code: 21 (unable to verify the first certificate)
I'm try like dovecot:
https://forum.linode.com/viewtopic.php?t=10581&p=61236
cat client.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
(Comodo gives me back these files: AddTrustExternalCARoot.crt, PositiveSSLCA2.crt, and client.crt)
openssl s_client -CApath /etc/ssl/certs/ -crlf -CAfile /etc/ssl/certs/ca-certificates.crt -connect softether.$MYDOMAIN:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = $MYDOMAIN
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = $MYDOMAIN
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = $MYDOMAIN
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=$MYDOMAIN
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
Verify return code: 21 (unable to verify the first certificate)
SoftEtherVPN + "real" certificate
-
dnobori
- Posts: 230
- Joined: Tue Mar 05, 2013 10:04 am
Re: SoftEtherVPN + "real" certificate
You have to put intermediate certificates and the root certificate on the "chain_certs" directory on your VPN Server program.
-
cisco25678
- Posts: 2
- Joined: Thu May 29, 2014 10:54 pm
Re: SoftEtherVPN + "real" certificate
SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: Session-ID-ctx:
Master-Key:
Key-Arg : None
Start Time:
Timeout : 300 (sec)
Verify return code: 0 (ok)
Thanks!!!
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: Session-ID-ctx:
Master-Key:
Key-Arg : None
Start Time:
Timeout : 300 (sec)
Verify return code: 0 (ok)
Thanks!!!
-
dnobori
- Posts: 230
- Joined: Tue Mar 05, 2013 10:04 am
Re: SoftEtherVPN + "real" certificate
We updated SoftEther VPN 4.07, Build 9448 (June 6, 2014).
http://www.softether.org/5-download/history
The automated root certificate and intermediate certificates downloading function has been implemented. It is very helpful when you use a commercial certificate which has been issued by a commercial CA (Certificate Authority), including VeriSign, GlobalSign or RapidSSL. In previous versions, you had to install the root certificate and intermediate certificates manually into the "chain_certs" directory. On this version, you do not need any longer to do such a manual installation of chained certs.
http://www.softether.org/5-download/history
The automated root certificate and intermediate certificates downloading function has been implemented. It is very helpful when you use a commercial certificate which has been issued by a commercial CA (Certificate Authority), including VeriSign, GlobalSign or RapidSSL. In previous versions, you had to install the root certificate and intermediate certificates manually into the "chain_certs" directory. On this version, you do not need any longer to do such a manual installation of chained certs.