Could not extract X509 subject string from certificate

Question

I am trying to connect OpenVPN server and client. I get the following error on client end:

Thu Aug 15 12:40:02 2019 daemon.err openvpn(default)[11009]: VERIFY ERROR: depth=1, could not extract X509 subject string from certificate
Thu Aug 15 12:40:02 2019 daemon.err openvpn(default)[11009]: OpenSSL: error:14090086:lib(20):func(144):reason(134)
Thu Aug 15 12:40:02 2019 daemon.err openvpn(default)[11009]: TLS_ERROR: BIO read tls_read_plaintext error
Thu Aug 15 12:40:02 2019 daemon.err openvpn(default)[11009]: TLS Error: TLS object -> incoming plaintext read error
Thu Aug 15 12:40:02 2019 daemon.err openvpn(default)[11009]: TLS Error: TLS handshake failed
Thu Aug 15 12:40:02 2019 daemon.notice openvpn(default)[11009]: SIGUSR1[soft,tls-error] received, process restarting
Thu Aug 15 12:40:02 2019 daemon.notice openvpn(default)[11009]: Restart pause, 5 second(s)

and the following on server end:

Thu Aug 15 12:40:56 2019 172.16.6.29:43704 TLS: Initial packet from [AF_INET]172.16.6.29:43704, sid=0e770fea 5311df72
Thu Aug 15 12:41:02 2019 172.16.6.29:50066 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Aug 15 12:41:02 2019 172.16.6.29:50066 TLS Error: TLS handshake failed
Thu Aug 15 12:41:02 2019 172.16.6.29:50066 SIGUSR1[soft,tls-error] received, client-instance restarting

Which makes me believe there is a problem with client certificate, so I do: openssl x509 -in /etc/x509/client-2ac25b1c6b5444958021851ab473013b.pem -text and get output:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c1:2d:1a:d7:cb:23:4f:fa:a2:57:8c:9c:34:0d:b3:94
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: 
        Validity
            Not Before: Aug 16 00:00:00 2019 GMT
            Not After : Aug 14 20:15:09 2024 GMT
        Subject: CN=08:00:27:6B:52:F3-08-00-27-25-34-89
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d4:53:7b:f8:cc:39:40:97:16:4f:f6:48:f3:c6:
                    fd:e2:bd:96:b1:87:6c:10:2d:b2:7f:52:8b:89:59:
                    0b:7b:b3:95:7f:64:e6:0b:8b:6e:b9:6f:1c:d8:8f:
                    a7:6d:e6:81:15:5a:b6:d4:76:01:28:e2:ca:95:f9:
                    a3:51:48:7d:9d:ba:a9:ea:90:8e:ea:48:08:f0:80:
                    58:39:4c:21:c1:cc:0d:55:11:d4:cf:16:0f:a8:3f:
                    63:4a:14:2b:00:8d:cf:58:9a:3c:8c:e9:1c:4d:f6:
                    8f:03:c5:7d:36:75:2d:39:8e:66:de:a6:bb:ad:7d:
                    2d:64:9c:25:27:d2:4e:74:21:e5:4f:05:34:6c:4c:
                    27:2b:d2:6e:83:6f:3e:53:19:c4:6b:2d:ab:1b:0a:
                    5a:33:b3:db:e7:4a:b7:bc:7d:24:58:6a:3d:a9:47:
                    27:cb:7d:bf:87:30:8c:ca:3c:1b:18:d1:9d:83:2e:
                    3f:2b:97:4b:7f:06:d1:e6:d1:8d:10:8c:62:52:87:
                    d0:6a:68:2d:7a:27:46:fa:68:5b:20:4e:04:45:19:
                    02:03:a9:ab:96:a4:54:a2:83:a4:96:b9:b0:b6:b5:
                    91:e3:16:2b:c5:87:46:eb:2c:8d:87:53:32:bb:e5:
                    7f:72:83:06:fe:af:41:be:e4:55:01:d2:ad:f2:d5:
                    6b:13
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier: 
                10:7D:D0:48:01:F5:D9:EC:D0:ED:52:9E:1F:37:E5:90:5B:7C:43:71
            X509v3 Authority Key Identifier: 
                keyid:1A:AA:C5:0D:66:77:5B:F9:C9:D5:5C:43:D5:8F:12:E2:D4:37:C1:67
                DirName:
                serial:1A:42:E0:FB:83:01:44:7D:A5:57:1C:99:85:2C:56:08

            Netscape Cert Type: 
                SSL Client
    Signature Algorithm: sha256WithRSAEncryption
         8e:5a:cb:a3:4d:43:6f:0f:88:76:fa:af:31:ef:ba:4a:98:02:
         25:82:b8:ba:dc:64:c9:97:ed:48:1d:31:de:e8:1f:a5:da:10:
         da:a9:15:b1:83:04:76:51:61:95:c4:97:15:d2:7b:4e:29:42:
         fb:42:b9:89:10:4c:db:26:8c:b1:13:a4:6f:46:82:53:c0:12:
         e1:61:0c:2c:89:6d:d6:e1:ca:93:43:f8:74:20:68:89:2a:21:
         ef:7b:7b:d3:d6:be:4e:e3:f6:34:18:72:b6:10:80:bd:43:d1:
         01:db:7c:59:ba:a6:3d:1b:de:9f:1f:c0:b5:6f:d8:3b:1e:b8:
         0a:6a:ed:ad:42:ce:c3:95:d6:70:ae:d2:79:82:1e:d7:af:24:
         f9:66:bc:4e:97:e5:3c:a1:93:3b:4e:60:f5:ea:d2:ec:5a:04:
         b0:06:7e:9f:66:b8:19:6f:33:cc:bf:c5:b7:36:85:67:45:c8:
         6c:23:32:04:5e:9f:a5:71:48:ce:ac:fc:74:76:ad:61:d6:10:
         65:bf:a0:2a:8d:04:32:bb:60:74:71:85:a9:96:5f:bb:5e:87:
         32:ad:a7:d3:08:fb:cc:09:35:9e:79:c8:47:a2:ee:63:4e:23:
         fe:c3:11:0a:16:84:8d:17:ea:f6:f2:31:15:d9:d1:26:f6:c0:
         93:32:bd:e0
-----BEGIN CERTIFICATE-----
MIIDRDCCAiygAwIBAgIRAMEtGtfLI0/6oleMnDQNs5QwDQYJKoZIhvcNAQELBQAw
ADAiGA8yMDE5MDgxNjAwMDAwMFoYDzIwMjQwODE0MjAxNTA5WjAuMSwwKgYDVQQD
DCMwODowMDoyNzo2Qjo1MjpGMy0wOC0wMC0yNy0yNS0zNC04OTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBANRTe/jMOUCXFk/2SPPG/eK9lrGHbBAtsn9S
i4lZC3uzlX9k5guLbrlvHNiPp23mgRVattR2ASjiypX5o1FIfZ26qeqQjupICPCA
WDlMIcHMDVUR1M8WD6g/Y0oUKwCNz1iaPIzpHE32jwPFfTZ1LTmOZt6mu619LWSc
JSfSTnQh5U8FNGxMJyvSboNvPlMZxGstqxsKWjOz2+dKt7x9JFhqPalHJ8t9v4cw
jMo8GxjRnYMuPyuXS38G0ebRjRCMYlKH0GpoLXonRvpoWyBOBEUZAgOpq5akVKKD
pJa5sLa1keMWK8WHRussjYdTMrvlf3KDBv6vQb7kVQHSrfLVaxMCAwEAAaOBhjCB
gzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQUEH3QSAH12ezQ7VKe
HzflkFt8Q3EwNwYDVR0jBDAwLoAUGqrFDWZ3W/nJ1VxD1Y8S4tQ3wWehBKQCMACC
EBpC4PuDAUR9pVccmYUsVggwEQYJYIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3DQEB
CwUAA4IBAQCOWsujTUNvD4h2+q8x77pKmAIlgri63GTJl+1IHTHe6B+l2hDaqRWx
gwR2UWGVxJcV0ntOKUL7QrmJEEzbJoyxE6RvRoJTwBLhYQwsiW3W4cqTQ/h0IGiJ
KiHve3vT1r5O4/Y0GHK2EIC9Q9EB23xZuqY9G96fH8C1b9g7HrgKau2tQs7DldZw
rtJ5gh7XryT5ZrxOl+U8oZM7TmD16tLsWgSwBn6fZrgZbzPMv8W3NoVnRchsIzIE
Xp+lcUjOrPx0dq1h1hBlv6AqjQQyu2B0cYWpll+7XocyrafTCPvMCTWeechHou5j
TiP+wxEKFoSNF+r28jEV2dEm9sCTMr3g
-----END CERTIFICATE-----

OpenVPN config:

config openvpn 'default'
        option auth 'SHA1'
        option ca '/etc/x509/ca-1-.pem'
        option cert '/etc/x509/client-2ac25b1c6b5444958021851ab473013b.pem'
        option cipher 'none'
        option comp_lzo 'no'
        option dev 'tun0'
        option dev_type 'tun'
        option enabled '1'
        option fast_io '1'
        option float '0'
        option fragment '0'
        option keepalive '10 120'
        option key '/etc/x509/key-2ac25b1c6b5444958021851ab473013b.pem'
        option mode 'p2p'
        option mssfix '1450'
        option mute '0'
        option mute_replay_warnings '0'
        option nobind '1'
        option persist_key '1'
        option persist_tun '1'
        option proto 'udp'
        option pull '1'
        list remote 'openvpn 1194'
        option reneg_sec '0'
        option resolv_retry 'infinite'
        option script_security '1'
        option tls_client '1'
        option tls_timeout '0'
        option verb '3'

(Device hostname: 08-00-27-25-34-89)

Any pointers to understand and tackle the issue are appreciated.

Answer 1

    Issuer: 
    ...
    Subject: CN=08:00:27:6B:52:F3-08-00-27-25-34-89

The issuer is completely empty.

... VERIFY ERROR: depth=1, could not extract X509 subject string from certificate

It looks like OpenVPN cannot deal with an empty issuer.

This is not unexpected since an empty issuer does not make much sense. Thus, whoever created the CA certificate should make sure that the subject of the CA certificate (and thus the issuer of the issued certificate) has a subject which describes the issuer instead of just leaving all the fields (common name, ...) empty.