SoftEtherVPN + "real" certificate

Post your questions about SoftEther VPN software here. Please answer questions if you can afford.
Post Reply
cisco25678
Posts: 2
Joined: Thu May 29, 2014 10:54 pm

SoftEtherVPN + "real" certificate

Post by cisco25678 » Thu May 29, 2014 11:20 pm

How to properly configure SoftEtherVPN Server with purchased certificates?

This my dovecot:
openssl s_client -CApath /etc/ssl/certs/ -crlf -CAfile /etc/ssl/certs/ca-certificates.crt -connect mail.$MYDOMAIN:995
CONNECTED(00000003)
depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = $MYDOMAIN
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=$MYDOMAIN
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root

Start Time: 1401404515
Timeout : 300 (sec)
Verify return code: 0 (ok)

This my apache:
openssl s_client -CApath /etc/ssl/certs/ -crlf -CAfile /etc/ssl/certs/ca-certificates.crt -connect www.$MYDOMAIN:443
CONNECTED(00000003)
depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
verify return:1
depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = PositiveSSL CA 2
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = $MYDOMAIN
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=$MYDOMAIN
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---
Start Time: 1401404654
Timeout : 300 (sec)
Verify return code: 0 (ok)

I'm try like apache:
SSLCertificateFile /etc/comodo/client.crt
SSLCertificateKeyFile /etc/comodo/server.key
(That is, I took these certificate and key.)

openssl s_client -CApath /etc/ssl/certs/ -crlf -CAfile /etc/ssl/certs/ca-certificates.crt -connect softether.$MYDOMAIN:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = $MYDOMAIN
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = $MYDOMAIN
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = $MYDOMAIN
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=$MYDOMAIN
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2

Verify return code: 21 (unable to verify the first certificate)

I'm try like dovecot:
https://forum.linode.com/viewtopic.php?t=10581&p=61236
cat client.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > ssl-bundle.crt
(Comodo gives me back these files: AddTrustExternalCARoot.crt, PositiveSSLCA2.crt, and client.crt)

openssl s_client -CApath /etc/ssl/certs/ -crlf -CAfile /etc/ssl/certs/ca-certificates.crt -connect softether.$MYDOMAIN:443
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = $MYDOMAIN
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = $MYDOMAIN
verify error:num=27:certificate not trusted
verify return:1
depth=0 OU = Domain Control Validated, OU = PositiveSSL Multi-Domain, CN = $MYDOMAIN
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/OU=Domain Control Validated/OU=PositiveSSL Multi-Domain/CN=$MYDOMAIN
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=PositiveSSL CA 2

Verify return code: 21 (unable to verify the first certificate)

dnobori
Posts: 228
Joined: Tue Mar 05, 2013 10:04 am

Re: SoftEtherVPN + "real" certificate

Post by dnobori » Fri May 30, 2014 3:42 pm

You have to put intermediate certificates and the root certificate on the "chain_certs" directory on your VPN Server program.

cisco25678
Posts: 2
Joined: Thu May 29, 2014 10:54 pm

Re: SoftEtherVPN + "real" certificate

Post by cisco25678 » Tue Jun 03, 2014 1:08 am

SSL-Session:
Protocol : TLSv1
Cipher : AES128-SHA
Session-ID: Session-ID-ctx:
Master-Key:
Key-Arg : None
Start Time:
Timeout : 300 (sec)
Verify return code: 0 (ok)

Thanks!!!

dnobori
Posts: 228
Joined: Tue Mar 05, 2013 10:04 am

Re: SoftEtherVPN + "real" certificate

Post by dnobori » Fri Jun 06, 2014 12:34 pm

We updated SoftEther VPN 4.07, Build 9448 (June 6, 2014).

http://www.softether.org/5-download/history

The automated root certificate and intermediate certificates downloading function has been implemented. It is very helpful when you use a commercial certificate which has been issued by a commercial CA (Certificate Authority), including VeriSign, GlobalSign or RapidSSL. In previous versions, you had to install the root certificate and intermediate certificates manually into the "chain_certs" directory. On this version, you do not need any longer to do such a manual installation of chained certs.

Post Reply