Context Navigation

← Previous Ticket
Next Ticket →

#1031 closed Bug / Defect (wontfix)

iOS: mobileconfig with no cert triggers "OpenVPN error : Missing External PKI alias"

Reported by:	seanob	Owned by:	OpenVPN Inc.
Priority:	minor	Milestone:
Component:	OpenVPN Connect	Version:	OpenVPN Connect for iOS v1.2.9
Severity:	Not set (select this one, unless your'e a OpenVPN developer)	Keywords:
Cc:

Description

Hi,

This particular issue only started to occur in the latest release v. 1.2.9. Previous versions I was able to connect fine.

Steps to reproduce.

Push mobileconfig file to iPhone with OpenVPN 1.2.9 installed. Note: mobileconfig has the certificate details embedded rather than attaching the client cert separately - which is not possible as I am using a 3rd party VPN service.

Launch OpenVPN application. Enter credentials for VPN connection. Connect

Connection instantly fails with the following error: "OpenVPN error : Missing External PKI alias"

OpenVPN Log in the application:

2018-02-28 00:53:43 ----- OpenVPN Start -----
OpenVPN core 3.2 ios arm64 64-bit built on Feb 22 2018 12:39:28
2018-02-28 00:53:43 EVENT: CORE_ERROR Missing External PKI alias [ERR]
2018-02-28 00:53:43 Raw stats on disconnect:
2018-02-28 00:53:43 Performance stats on disconnect:

CPU usage (microseconds): 25588
Network bytes per CPU second: 0
Tunnel bytes per CPU second: 0

I have cross referenced my mobileconfig configuration with the following link, but in saying this the mobileconfig was working up until the previous version and all prior versions successfully:
https://docs.openvpn.net/connecting/connecting-to-access-server-with-apple-ios/faq-regarding-openvpn-connect-ios/

I have the OpenVPN 1.2.8 ipa file saved as a backup, so I can always downgrade to test behaviour if you need me to.

mobileconfig configuration:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-AppleDTD PLIST 1.0EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>

<key>PayloadContent?</key>
<array>

<dict>

<key>IPv4</key>
<dict>

<key>OverridePrimary?</key>
<integer>0</integer>

</dict>
<key>PayloadDescription?</key>
<string>Configures VPN settings</string>
<key>PayloadDisplayName?</key>
<string>VPN</string>
<key>PayloadIdentifier?</key>
<string>com.apple.vpn.managed.AD23C943-5F54-40CF-AFED-6FAA71423060</string>
<key>PayloadType?</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>AD23C943-5F54-40CF-AFED-6FAA71423060</string>
<key>PayloadVersion?</key>
<integer>1</integer>
<key>Proxies</key>
<dict>

<key>HTTPEnable</key>
<integer>0</integer>
<key>HTTPSEnable</key>
<integer>0</integer>

</dict>
<key>UserDefinedName?</key>
<string>NordVPN JP16</string>
<key>VPN</key>
<dict>

<key>AuthName?</key>
<string>DEFAULT</string>
<key>AuthenticationMethod?</key>
<string>Password</string>
<key>RemoteAddress?</key>
<string>DEFAULT</string>

</dict>
<key>VPNSubType</key>
<string>net.openvpn.connect.app</string>
<key>VPNType</key>
<string>VPN</string>
<key>VendorConfig?</key>
<dict>

<key>auth</key>
<string>SHA512</string>
<key>auth-user-pass</key>
<string>NOARGS</string>
<key>ca</key>
<string>-----BEGIN CERTIFICATE-----\nREMOVED\n-----END CERTIFICATE-----</string>
<key>cipher</key>
<string>AES-256-CBC</string>
<key>client</key>
<string>NOARGS</string>
<key>comp-lzo</key>
<string>NOARGS</string>
<key>dev</key>
<string>tun</string>
<key>explicit-exit-notify</key>
<string>3</string>
<key>fast-io</key>
<string>NOARGS</string>
<key>key-direction</key>
<string>1</string>
<key>mssfix</key>
<string>1450</string>
<key>nobind</key>
<string>NOARGS</string>
<key>persist-key</key>
<string>NOARGS</string>
<key>persist-tun</key>
<string>NOARGS</string>
<key>ping</key>
<string>15</string>
<key>ping-restart</key>
<string>0</string>
<key>ping-timer-rem</key>
<string>NOARGS</string>
<key>proto</key>
<string>udp</string>
<key>pull</key>
<string>NOARGS</string>
<key>remote</key>
<string>REMOVED 1194</string>
<key>remote-cert-tls</key>
<string>server</string>
<key>remote-random</key>
<string>NOARGS</string>
<key>reneg-sec</key>
<string>0</string>
<key>resolv-retry</key>
<string>infinite</string>
<key>tls-auth</key>
<string>#\n# 2048 bit OpenVPN static key\n#\n-----BEGIN OpenVPN Static key V1-----\nREMOVED\n-----END OpenVPN Static key V1-----</string>
<key>tun-mtu</key>
<string>1500</string>
<key>tun-mtu-extra</key>
<string>32</string>
<key>verb</key>
<string>3</string>
<key>vpn-on-demand</key>
<string>0</string>

</dict>

</dict>

</array>
<key>PayloadDescription?</key>
<string>NordVPN JP16 UDP</string>
<key>PayloadDisplayName?</key>
<string>NordVPN JP16 UDP</string>
<key>PayloadIdentifier?</key>
<string>15AC5240-77B4-4C1C-A60D-106EE01E08B2</string>
<key>PayloadRemovalDisallowed?</key>
<false/>
<key>PayloadType?</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>D8B10C82-B78C-4900-B770-DED78EE693D6</string>
<key>PayloadVersion?</key>
<integer>1</integer>

</dict>
</plist>

Change History (9)

comment:1 follow-up: 3 Changed 6 years ago by Antonio Quartulli

In your mobileconfig I don't see any "key" and "cert" directives. How are you "embedding" your key material then?

comment:2 Changed 6 years ago by Antonio Quartulli

Status:	new → assigned

comment:3 in reply to: 1 Changed 6 years ago by seanob

Replying to ordex:

In your mobileconfig I don't see any "key" and "cert" directives. How are you "embedding" your key material then?

The only directives that have been provided by the 3rd party VPN service are the "ca" and "tls-auth" directives. Using their ovpn config file with the app instead (with only "ca" and "tls-auth" directives) connects fine, but converting that file into a mobileconfig no longer works from v1.2.9 (which worked fine on previous versions of OpenVPN Connect app).

comment:4 follow-up: 5 Changed 6 years ago by Antonio Quartulli

I guess this behaviour changed between 1.2.7 and 1.2.8.
I may know where the issue, could you still paste the provided ovpn config please? Thanks

comment:5 in reply to: 4 Changed 6 years ago by seanob

Replying to ordex:

I guess this behaviour changed between 1.2.7 and 1.2.8.
I may know where the issue, could you still paste the provided ovpn config please? Thanks

client
dev tun
proto udp
remote REMOTE HOST 1194
resolv-retry infinite
remote-random
nobind
tun-mtu 1500
tun-mtu-extra 32
mssfix 1450
persist-key
persist-tun
ping 15
ping-restart 0
ping-timer-rem
reneg-sec 0

explicit-exit-notify 3

remote-cert-tls server

#mute 10000
auth-user-pass

comp-lzo
verb 3
pull
fast-io
cipher AES-256-CBC
auth SHA512

<ca>

</ca>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#

</tls-auth>

comment:6 Changed 6 years ago by Antonio Quartulli

Priority:	major → minor
Summary:	iOS: mobileconfig "OpenVPN error : Missing External PKI alias" → iOS: mobileconfig with no cert triggers "OpenVPN error : Missing External PKI alias"

comment:7 Changed 4 years ago by DaMac

nvm, opening new ticket.

Last edited 4 years ago by DaMac (previous) (diff)

comment:8 Changed 3 years ago by Antonio Quartulli

Owner:	changed from Antonio Quartulli to OpenVPN Inc.

comment:9 Changed 16 months ago by Gert Döring

Resolution:	→ wontfix
Status:	assigned → closed

OpenVPN Inc does not want to receive any feedback for the "Connect"
OpenVPN clients via the community bug trackers (here and in GH issues).

Please resubmit - if still relevant - via https://support.openvpn.net/

Note: See TracTickets for help on using tickets.

Download in other formats: