OpenVPN on iOS Cannot Parse Certificate

[dsneed]

I'm having issues with the OpenVPN iOS app (v3.4.0) with RT-AC86U running Merlin 386.12. It cannot parse the certificate. The Windows app works perfectly.

Here's my setup on my RT-AC86U Router with firmare 386.12.

And finally, the log from the app

[Oct 31, 2023, 12:49:24] START CONNECTION
[Oct 31, 2023, 12:49:24] ----- OpenVPN Start -----
OpenVPN core 3.8.2connect1 ios arm64 64-bit
[Oct 31, 2023, 12:49:24] OpenVPN core 3.8.2connect1 ios arm64 64-bit
[Oct 31, 2023, 12:49:24] Frame=512/2112/512 mssfix-ctrl=1250
[Oct 31, 2023, 12:49:24] EVENT: CORE_THREAD_ERROR parse_cert_crl_error: ca : CERT/CRL content ended unexpectedly without END marker [ERR]
[Oct 31, 2023, 12:49:24] EVENT: CORE_THREAD_DONE
[Oct 31, 2023, 12:49:24] EVENT: DISCONNECT_PENDING
[Oct 31, 2023, 12:49:24] Raw stats on disconnect:
[Oct 31, 2023, 12:49:24] Performance stats on disconnect:
CPU usage (microseconds): 9347
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0

Any help is appreciated!

 

[sfx2000]

https://community.openvpn.net/openvpn/wiki/IOSinline

 

[dsneed]

Tried to follow along, but I still can't get it to work. Here's my auto created config file from the rotuer.

client
dev tun
proto tcp-client
remote server.com 1492
resolv-retry infinite
nobind
float
ncp-ciphers AES-256-GCM:AES-128-GCM:AES-256-CBC:AES-128-CBC:CHACHA20-POLY1305
auth SHA256
keepalive 15 60
auth-user-pass
remote-cert-tls server
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>

Could my DDNS certificate be causing an issue?

 

[Martinski]

I'm having issues with the OpenVPN iOS app (v3.4.0) with RT-AC86U running Merlin 386.12. It cannot parse the certificate. The Windows app works perfectly.
...
...
[Oct 31, 2023, 12:49:24] EVENT: CORE_THREAD_ERROR parse_cert_crl_error: ca : CERT/CRL content ended unexpectedly without END marker [ERR]
[Oct 31, 2023, 12:49:24] EVENT: CORE_THREAD_DONE
...

The error message indicates that the parser found some syntax error on or around the "END marker" delimiter for the CA certificate so it seems that the client configuration file may have been corrupted when it was imported/uploaded to your iOS device, especially since you said the Windows OpenVPN application works fine (using exactly the same client config file, I'm assuming). At this point, I'd recommend deleting the current client config file from your iOS device and importing/uploading again the original/uncorrupted config file.

Here are some syntax errors that may not be easily obvious but would cause parsing problems like the one you reported:

1) Empty line between the last encrypted line and the END marker.

BAD syntax:

<ca>
-----BEGIN CERTIFICATE-----
...
...
qTWpoAQqtySotk0ab2RJf9hv5ivfRocIDTDmYLB2iQMRMQPPjt9oeX1+/o8vsg==

-----END CERTIFICATE-----
</ca>

There should *not* be any empty lines at all before the END marker.


2) The END marker itself has extra hyphens, extra white spaces, any other extra/odd chars, etc.
For example, any extra leading hyphens is BAD syntax:

<ca>
-----BEGIN CERTIFICATE-----
...
...
------END CERTIFICATE-----
</ca>

Any extra trailing hyphens is also BAD syntax:

<ca>
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE------
</ca>

There should be exactly 5 leading hyphens & 5 trailing hyphens for each BEGIN/END marker, and exactly only one blank space before the word "CERTIFICATE" for each BEGIN/END marker (anything else is BAD syntax).

Just to be sure, double-check the config file for such syntax errors before importing it.

My 2 cents.

 

[dsneed]

The error message indicates that the parser found some syntax error on or around the "END marker" delimiter for the CA certificate so it seems that the client configuration file may have been corrupted when it was imported/uploaded to your iOS device, especially since you said the Windows OpenVPN application works fine (using exactly the same client config file, I'm assuming). At this point, I'd recommend deleting the current client config file from your iOS device and importing/uploading again the original/uncorrupted config file.

Here are some syntax errors that may not be easily obvious but would cause parsing problems like the one you reported:

1) Empty line between the last encrypted line and the END marker.

BAD syntax:

<ca>
-----BEGIN CERTIFICATE-----
...
...
qTWpoAQqtySotk0ab2RJf9hv5ivfRocIDTDmYLB2iQMRMQPPjt9oeX1+/o8vsg==

-----END CERTIFICATE-----
</ca>

There should *not* be any empty lines at all before the END marker.


2) The END marker itself has extra hyphens, extra white spaces, any other extra/odd chars, etc.
For example, any extra leading hyphens is BAD syntax:

<ca>
-----BEGIN CERTIFICATE-----
...
...
------END CERTIFICATE-----
</ca>

Any extra trailing hyphens is also BAD syntax:

<ca>
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE------
</ca>

There should be exactly 5 leading hyphens & 5 trailing hyphens for each BEGIN/END marker, and exactly only one blank space before the word "CERTIFICATE" for each BEGIN/END marker (anything else is BAD syntax).

Just to be sure, double-check the config file for such syntax errors before importing it.

My 2 cents.

I managed to get it working by uploading it via OneDrive. Thank you for all your help!