OpenSSL

[Nu-kid]

I know this is a stretch but you guys ahve been so helpful.
I am running another PC with OpenBSD3.9 and I know this is aGentoo forum, but I was hoping someone could at least give me a clue as to what this error means.
Basically I have all my certs created no problem. Now I'm testing my OpenSSL server and client so. the server is working waiting for requests. But when I type the command to activate the client: openssl s_client -CAfile \
> CA-DB/cacert.pem -cert client1cert.pem -key client1key.pem
I get the following message:
unable to get certificate from 'client1cert.pem'
4320:error:02001002:system library:fopen:No such file or directory:/usr/src/lib/libssl/src/crypto/bio/bss_file.c:278:fopen('client1cert.pem','r')
4320:error:20074002:BIO routines:FILE_CTRL:system lib:/usr/src/lib/libssl/src/crypto/bio/bss_file.c:280:
4320:error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib:/usr/src/lib/libssl/src/ssl/ssl_rsa.c:515:

So I'm thinking all OpenSSL being equal (relatively). The above error message would make since for any OpenSSL distro.
Anyway I'm just looking for something that would make since of this. Everything else is crackin along just fine.

Anyway thnx for your consideration.
The sadest part is that there are no comprehensive forums for OpenSSL.
_________________
Put one foot in front of the other, and walk towards the light.

[UberLord]

You may have to remove all the english stuff from the pem file and just have the stuff in the ---BEGIN FOO -- hex stuff ---END FOO-- lines
_________________
Use dhcpcd for all your automated network configuration needs
Use dhcpcd-ui (GTK+/Qt) as your System Tray Network tool

[Nu-kid]

Thnx Uber...
But everything in the cacert.pem file is Hex.

It's frustrating because I'm on the cusp on getting VPN working but there's no answers

Thnx again.
_________________
Put one foot in front of the other, and walk towards the light.

[gnube]

Just a thought ... I got caught by that for a few minutes until I realized you need the full path to certs and keys.

[Nu-kid]

Thnx for your help...
But I'm confused because I have just been following the instructions below:

OpenSSL Test Framework

Now, after we have issued a couple of user certificates, we can make sure that our procedures are all correct by taking advantage of the two test commands provided by the OpenSSL package. The programs s_server (secure server) and s_client (secure client) can exercise almost the entire library and their operation is straightforward.

Start an OpenSSL secure server session in one terminal window. Start an OpenSSL secure client session in another. The client will contact the server using the SSL/TLS protocol at localhost using port 4433. You will be able to type messages into the console hosting the secure client and see them appear at the secure server. It will be immediately obvious if your certificates are not correct or there is a problem with your OpenSSL library installation.

Here we start an OpenSSL secure server at the command line. For arguments, we include the server certificate and server private key. The argument -verify 1 causes the server to ask any connecting client to send a certificate for authentication. (Note that the output from these commands is more verbose than these trimmed code examples indicate.)

[admin@tamarack admin]$ openssl s_server -cert vpncert.pem \
> -key vpnkey.pem -verify 1
verify depth is 1
Using default temp DH parameters
ACCEPT
...
[admin@tamarack admin]$

Now, in another console window, we start an OpenSSL secure client using the command argument -cert to provide a certificate to send to the server for authentication. The -key argument gives the private key to use when encrypting messages and the -CAfile argument points to the root certificate.

[admin@tamarack admin]$ openssl s_client -CAfile \
> CA-DB/cacert.pem -cert client1cert.pem -key client1key.pem
Enter PEM pass phrase:
...
[admin@tamarack admin]$

When the connection attempt succeeds, you can send sample messages between the client and server by typing text into either secure endpoint. To quit the session, type Q in the terminal window.

Now we know that our certificates can encrypt messages passed between two OpenSSL applications. However, we have not yet made sure that we can use our certificates with any arbitrary X.509-certificate-secured application. Adding the -WWW option to the s_server command will effectively create a secure web server that can serve any local file to a web-browsing client connecting using SSL/TLS. We will exercise this feature next.

Some else suggested I type the full path but the file client1cert.pem doesn't exist. So I thought it was going to be created. just like the vpncert-req.pem file.

Thnx again..I'm just a noob
_________________
Put one foot in front of the other, and walk towards the light.

[gnube]

You're telling the server to require clients to send a cert., so they better have one.
There's a procedure referred to in the first line of the instructions you quoted ('...after we have issued a couple of user certificate...').
It looks like you need to take a step back and make some.