OpenVPN ssl VERIFY ERROR: depth=0, error=certificate signature failure in TI am335x-evm platform

I try to porting the openVPN client (2.3.8) to ARMS embedded device. After setting cross compile I was able to run in ARMS, somehow, when I lanuch the openvpn in ARMS, it show error : VERIFY ERROR: depth=0, error=certificate signature, Below are ARMS OpenVPN client Log:

root@am335x-evm:~# ./openvpn client25.conf 
Fri Sep 25 09:51:06 2015 OpenVPN 2.3.8 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH] [IPv6] built on Sep 25 2015
Fri Sep 25 09:51:06 2015 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.06
Fri Sep 25 09:51:06 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Sep 25 09:51:06 2015 WARNING: file '/home/root/client1.key' is group or others accessible
Fri Sep 25 09:51:06 2015 Socket Buffers: R=[163840->131072] S=[163840->131072]
Fri Sep 25 09:51:06 2015 UDPv4 link local: [undef]
Fri Sep 25 09:51:06 2015 UDPv4 link remote: [AF_INET]192.168.87.25:1194
Fri Sep 25 09:51:06 2015 TLS: Initial packet from [AF_INET]192.168.87.25:1194, sid=b7b62cd9 973685ba
Fri Sep 25 09:51:06 2015 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=IOT, name=EasyRSA, emailAddress=james.ck.chien@foxconn.com
Fri Sep 25 09:51:06 2015 VERIFY ERROR: depth=0, error=certificate signature failure: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=IOT, name=EasyRSA, emailAddress=james.ck.chien@foxconn.com
Fri Sep 25 09:51:06 2015 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:lib(20):func(144):reason(134)
Fri Sep 25 09:51:06 2015 TLS Error: TLS object -> incoming plaintext read error
Fri Sep 25 09:51:06 2015 TLS Error: TLS handshake failed
Fri Sep 25 09:51:06 2015 SIGUSR1[soft,tls-error] received, process restarting
Fri Sep 25 09:51:06 2015 Restart pause, 2 second(s)

The OpenVPN server(2.3.8) was installed in a Ubuntu 14.04 desktop, all the client /server certifcate was generated with easy-rsa in this desktop.

I have try the same ca.crt and client.crt, client.key, will work fine in another OpenVPN client that installed with Ubuntu Linux Desktop

Somehow, for some reason, it not working in Embedded ARMS.(OpenVPN client)

Here attached the ca.crt and client1.crt dump and I have tried the "openssl verify" in my embedded ARMS but it will fail with below log: ""error 7 at 0 depth lookup:certificate signature failure" Detail log as below:

root@am335x-evm:~# openssl
OpenSSL> version
OpenSSL 1.0.1m 19 Mar 2015
OpenSSL>quit
root@am335x-evm:~# openssl x509 -in ca.crt -text       
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            e5:16:7f:96:50:e9:bf:e4
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
        Validity
            Not Before: Sep 25 08:00:49 2015 GMT
            Not After : Sep 22 08:00:49 2025 GMT
        Subject: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d3:3a:be:b8:cf:91:e1:00:0e:20:0e:76:31:bd:
                    e6:64:f3:e1:2a:60:d6:d3:d7:3c:d8:e1:30:0e:21:
                    a7:7c:b7:26:e2:9d:96:dd:d0:2d:26:f2:1c:ce:cf:
                    38:71:5a:24:91:3c:84:9a:2d:44:23:2e:98:38:9b:
                    ea:70:a5:24:75:57:a4:f4:2f:16:67:50:0c:28:b5:
                    0e:71:c3:5b:76:a7:0b:eb:cd:cc:34:39:f4:9b:74:
                    16:40:4b:5c:94:43:07:ef:aa:03:28:03:6b:c8:26:
                    d5:54:8f:e1:2e:4b:67:39:4b:5c:6a:64:e6:28:d8:
                    7a:62:75:7c:68:f3:b5:44:eb:2a:ef:ba:a8:38:70:
                    2e:c1:02:ac:ff:60:b2:65:73:28:5b:93:02:67:1e:
                    24:f2:f2:aa:89:b0:59:58:ca:d1:37:59:ec:2f:2f:
                    9e:76:d7:02:a6:04:02:1c:54:a2:77:5a:34:8d:1b:
                    b9:68:4f:0a:3c:6f:90:8b:f3:bd:fb:4d:4f:fb:86:
                    21:bc:ee:5e:1e:72:93:7d:41:3c:d0:39:a4:89:c7:
                    da:75:10:2c:8a:b0:1d:d5:65:19:a1:a1:2e:22:3f:
                    ba:15:63:be:29:c0:08:db:52:12:bd:e6:33:2a:37:
                    c7:34:a1:be:71:df:62:aa:1d:20:24:df:95:02:d9:
                    79:f3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
            X509v3 Authority Key Identifier: 
                keyid:82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
                DirName:/C=TW/ST=TW/L=Taipei/O=Foxconn/OU=IOT/CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
                serial:E5:16:7F:96:50:E9:BF:E4

            X509v3 Basic Constraints: 
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         9b:b1:70:52:0a:8e:b7:79:a1:a3:ee:3a:65:96:e6:5e:82:af:
         cd:6e:8f:92:f8:b8:2c:70:dd:28:ee:5d:c1:ce:71:fd:a2:d8:
         f8:fa:75:49:c9:2a:ff:2a:e2:4f:d8:42:b8:d7:e1:aa:ec:b5:
         80:2b:61:a1:c5:49:9e:4d:4b:8d:0c:95:54:7b:32:59:ee:03:
         f4:ca:f6:a8:e9:72:d2:23:37:ef:33:1e:17:68:ec:19:45:86:
         ab:b7:27:01:f6:b2:1f:cd:74:8a:97:16:48:ca:90:35:fa:05:
         73:10:0a:9b:d5:4a:b5:43:80:f2:b9:7f:1e:44:69:12:f8:20:
         0d:18:05:6e:37:17:a4:42:1f:37:cb:00:79:1b:5f:07:ca:80:
         08:30:8a:c9:bc:eb:7d:db:e2:43:2a:5c:2b:aa:97:7f:02:32:
         c9:61:06:ca:1b:1e:d6:a9:77:60:48:78:ca:2d:b0:80:00:06:
         2d:b8:44:41:62:fc:9b:08:3b:8e:93:5f:df:50:1f:e1:2e:fb:
         47:47:e6:35:3d:3d:6b:c5:2b:8f:7d:ab:ab:0f:31:77:56:45:
         af:fc:d1:34:61:66:13:ab:68:4b:f1:59:28:7f:e7:8c:65:a2:
         c2:43:f6:0f:50:d7:a3:c7:e0:38:f0:fd:c5:00:de:67:a8:2c:
         0d:c8:39:40
-----BEGIN CERTIFICATE-----
MIIEyjCCA7KgAwIBAgIJAOUWf5ZQ6b/kMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD
VQQGEwJUVzELMAkGA1UECBMCVFcxDzANBgNVBAcTBlRhaXBlaTEQMA4GA1UEChMH
Rm94Y29ubjEMMAoGA1UECxMDSU9UMRQwEgYDVQQDEwtzZXJ2ZXIyNS1DQTEQMA4G
A1UEKRMHRWFzeVJTQTEpMCcGCSqGSIb3DQEJARYaamFtZXMuY2suY2hpZW5AZm94
Y29ubi5jb20wHhcNMTUwOTI1MDgwMDQ5WhcNMjUwOTIyMDgwMDQ5WjCBnjELMAkG
A1UEBhMCVFcxCzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxEDAOBgNVBAoT
B0ZveGNvbm4xDDAKBgNVBAsTA0lPVDEUMBIGA1UEAxMLc2VydmVyMjUtQ0ExEDAO
BgNVBCkTB0Vhc3lSU0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNoaWVuQGZv
eGNvbm4uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0zq+uM+R
4QAOIA52Mb3mZPPhKmDW09c82OEwDiGnfLcm4p2W3dAtJvIczs84cVokkTyEmi1E
Iy6YOJvqcKUkdVek9C8WZ1AMKLUOccNbdqcL683MNDn0m3QWQEtclEMH76oDKANr
yCbVVI/hLktnOUtcamTmKNh6YnV8aPO1ROsq77qoOHAuwQKs/2CyZXMoW5MCZx4k
8vKqibBZWMrRN1nsLy+edtcCpgQCHFSid1o0jRu5aE8KPG+Qi/O9+01P+4YhvO5e
HnKTfUE80DmkicfadRAsirAd1WUZoaEuIj+6FWO+KcAI21ISveYzKjfHNKG+cd9i
qh0gJN+VAtl58wIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFILteBjcV26zqg8etgoU
NF6OFJMlMIHTBgNVHSMEgcswgciAFILteBjcV26zqg8etgoUNF6OFJMloYGkpIGh
MIGeMQswCQYDVQQGEwJUVzELMAkGA1UECBMCVFcxDzANBgNVBAcTBlRhaXBlaTEQ
MA4GA1UEChMHRm94Y29ubjEMMAoGA1UECxMDSU9UMRQwEgYDVQQDEwtzZXJ2ZXIy
NS1DQTEQMA4GA1UEKRMHRWFzeVJTQTEpMCcGCSqGSIb3DQEJARYaamFtZXMuY2su
Y2hpZW5AZm94Y29ubi5jb22CCQDlFn+WUOm/5DAMBgNVHRMEBTADAQH/MA0GCSqG
SIb3DQEBCwUAA4IBAQCbsXBSCo63eaGj7jplluZegq/Nbo+S+LgscN0o7l3BznH9
otj4+nVJySr/KuJP2EK41+Gq7LWAK2GhxUmeTUuNDJVUezJZ7gP0yvao6XLSIzfv
Mx4XaOwZRYartycB9rIfzXSKlxZIypA1+gVzEAqb1Uq1Q4DyuX8eRGkS+CANGAVu
NxekQh83ywB5G18HyoAIMIrJvOt92+JDKlwrqpd/AjLJYQbKGx7WqXdgSHjKLbCA
AAYtuERBYvybCDuOk1/fUB/hLvtHR+Y1PT1rxSuPfaurDzF3VkWv/NE0YWYTq2hL
8Vkof+eMZaLCQ/YPUNejx+A48P3FAN5nqCwNyDlA
-----END CERTIFICATE-----
root@am335x-evm:~# 
root@am335x-evm:~# openssl x509 -in client1.crt -text      
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
        Validity
            Not Before: Sep 25 08:02:05 2015 GMT
            Not After : Sep 22 08:02:05 2025 GMT
        Subject: C=TW, ST=TW, L=Taipei, O=Foxconn, OU=IOT, CN=client1/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:d8:24:7b:96:89:a8:09:fa:36:21:03:47:a8:30:
                    64:e6:42:06:5f:4b:e3:e2:f9:4a:b7:ea:77:d3:90:
                    f3:7e:b3:78:d0:d2:c6:29:a7:06:c6:cb:9a:57:44:
                    31:b8:55:22:4c:18:cc:30:5b:57:f1:3b:e4:fc:55:
                    21:a0:32:06:2a:b0:ec:d3:84:62:b2:2a:c2:7b:79:
                    1b:61:27:70:74:4d:d5:e8:2a:16:37:e9:17:7a:94:
                    77:07:c6:dd:84:d8:86:47:ab:ac:5c:a3:8d:c2:81:
                    57:da:96:54:ba:18:b5:f0:d6:14:41:3b:93:83:ff:
                    a7:8b:71:42:52:a2:47:a3:8b:05:b2:38:4e:97:d5:
                    ec:21:e8:e3:4d:ca:dd:31:c3:6c:67:11:ce:a6:0e:
                    9c:05:18:56:35:df:a7:6d:94:1a:1f:d9:e9:49:5b:
                    28:bd:79:71:3a:0d:24:42:16:7b:d5:b1:95:a3:20:
                    c0:d3:a8:e9:50:6a:1f:1d:c5:bf:3f:d4:d8:46:80:
                    29:1c:b2:31:f4:f7:bc:5d:43:04:fc:98:10:ed:eb:
                    f1:c1:fd:9f:3e:b6:16:27:74:a6:71:61:84:8f:24:
                    5d:14:65:ad:be:4f:c4:6c:3f:b6:79:fc:56:b6:cd:
                    a3:67:0e:c3:c6:28:79:da:6f:b2:97:01:68:7b:fb:
                    5e:59
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                Easy-RSA Generated Certificate
            X509v3 Subject Key Identifier: 
                99:7E:D4:CA:CD:16:25:A0:37:6F:6B:DB:7C:79:45:5F:28:01:F8:19
            X509v3 Authority Key Identifier: 
                keyid:82:ED:78:18:DC:57:6E:B3:AA:0F:1E:B6:0A:14:34:5E:8E:14:93:25
                DirName:/C=TW/ST=TW/L=Taipei/O=Foxconn/OU=IOT/CN=server25-CA/name=EasyRSA/emailAddress=james.ck.chien@foxconn.com
                serial:E5:16:7F:96:50:E9:BF:E4

            X509v3 Extended Key Usage: 
                TLS Web Client Authentication
            X509v3 Key Usage: 
                Digital Signature
            X509v3 Subject Alternative Name: 
                DNS:client1
    Signature Algorithm: sha256WithRSAEncryption
         2d:7c:69:74:97:26:62:b3:ed:8a:e9:ea:43:ec:43:a7:bb:aa:
         37:6f:65:ca:60:89:ef:0e:ba:2e:65:66:b7:5b:ca:9a:68:5d:
         62:e1:eb:d6:2a:e1:56:53:00:4b:61:b3:6c:f7:09:2a:4a:35:
         34:92:87:7e:0a:a9:45:22:9c:af:31:dd:c9:8e:16:de:d0:2a:
         4a:aa:ad:c3:20:2a:34:fd:12:73:3d:50:12:b6:34:ef:07:34:
         60:15:03:b4:92:04:cf:19:4e:d5:7b:ce:37:9d:f3:9c:61:22:
         e3:f6:bb:50:4f:5d:a5:cc:e7:cd:66:e0:c7:09:7b:84:fe:d1:
         87:e4:f8:34:7c:0e:81:34:d6:ff:81:82:b9:cc:a8:da:bf:00:
         cf:05:93:66:81:f7:ee:a2:26:14:06:53:33:5e:ed:97:47:04:
         d0:a7:58:c7:86:ff:dc:28:3d:13:c9:b5:e3:5a:1e:e2:95:c4:
         22:71:b9:04:59:ad:c0:1c:f2:2d:cf:35:c2:02:2d:df:cc:9d:
         25:85:97:6b:15:39:30:c7:aa:2e:ee:30:96:ad:f4:3f:04:53:
         f3:7d:6c:15:64:eb:cd:23:05:ba:3a:18:a6:e4:e1:ea:8f:0d:
         89:0e:22:72:91:d3:78:1b:5f:4e:57:f7:c9:b3:5c:32:ab:1d:
         f1:6c:49:95
-----BEGIN CERTIFICATE-----
MIIFIDCCBAigAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBnjELMAkGA1UEBhMCVFcx
CzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxEDAOBgNVBAoTB0ZveGNvbm4x
DDAKBgNVBAsTA0lPVDEUMBIGA1UEAxMLc2VydmVyMjUtQ0ExEDAOBgNVBCkTB0Vh
c3lSU0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNoaWVuQGZveGNvbm4uY29t
MB4XDTE1MDkyNTA4MDIwNVoXDTI1MDkyMjA4MDIwNVowgZoxCzAJBgNVBAYTAlRX
MQswCQYDVQQIEwJUVzEPMA0GA1UEBxMGVGFpcGVpMRAwDgYDVQQKEwdGb3hjb25u
MQwwCgYDVQQLEwNJT1QxEDAOBgNVBAMTB2NsaWVudDExEDAOBgNVBCkTB0Vhc3lS
U0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNoaWVuQGZveGNvbm4uY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2CR7lomoCfo2IQNHqDBk5kIG
X0vj4vlKt+p305DzfrN40NLGKacGxsuaV0QxuFUiTBjMMFtX8Tvk/FUhoDIGKrDs
04RisirCe3kbYSdwdE3V6CoWN+kXepR3B8bdhNiGR6usXKONwoFX2pZUuhi18NYU
QTuTg/+ni3FCUqJHo4sFsjhOl9XsIejjTcrdMcNsZxHOpg6cBRhWNd+nbZQaH9np
SVsovXlxOg0kQhZ71bGVoyDA06jpUGofHcW/P9TYRoApHLIx9Pe8XUME/JgQ7evx
wf2fPrYWJ3SmcWGEjyRdFGWtvk/EbD+2efxWts2jZw7Dxih52m+ylwFoe/teWQID
AQABo4IBaTCCAWUwCQYDVR0TBAIwADAtBglghkgBhvhCAQ0EIBYeRWFzeS1SU0Eg
R2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBSZftTKzRYloDdva9t8eUVf
KAH4GTCB0wYDVR0jBIHLMIHIgBSC7XgY3Fdus6oPHrYKFDRejhSTJaGBpKSBoTCB
njELMAkGA1UEBhMCVFcxCzAJBgNVBAgTAlRXMQ8wDQYDVQQHEwZUYWlwZWkxEDAO
BgNVBAoTB0ZveGNvbm4xDDAKBgNVBAsTA0lPVDEUMBIGA1UEAxMLc2VydmVyMjUt
Q0ExEDAOBgNVBCkTB0Vhc3lSU0ExKTAnBgkqhkiG9w0BCQEWGmphbWVzLmNrLmNo
aWVuQGZveGNvbm4uY29tggkA5RZ/llDpv+QwEwYDVR0lBAwwCgYIKwYBBQUHAwIw
CwYDVR0PBAQDAgeAMBIGA1UdEQQLMAmCB2NsaWVudDEwDQYJKoZIhvcNAQELBQAD
ggEBAC18aXSXJmKz7Yrp6kPsQ6e7qjdvZcpgie8Oui5lZrdbyppoXWLh69Yq4VZT
AEths2z3CSpKNTSSh34KqUUinK8x3cmOFt7QKkqqrcMgKjT9EnM9UBK2NO8HNGAV
A7SSBM8ZTtV7zjed85xhIuP2u1BPXaXM581m4McJe4T+0Yfk+DR8DoE01v+BgrnM
qNq/AM8Fk2aB9+6iJhQGUzNe7ZdHBNCnWMeG/9woPRPJteNaHuKVxCJxuQRZrcAc
8i3PNcICLd/MnSWFl2sVOTDHqi7uMJat9D8EU/N9bBVk680jBbo6GKbk4eqPDYkO
InKR03gbX05X98mzXDKrHfFsSZU=
-----END CERTIFICATE-----
root@am335x-evm:~# 
    root@am335x-evm:~# 
    root@am335x-evm:~# 
    root@am335x-evm:~# 
    root@am335x-evm:~# openssl verify -verbose -CAfile ca.crt client1.crt
    client1.crt: C = TW, ST = TW, L = Taipei, O = Foxconn, OU = IOT, CN = client1, name = EasyRSA, emailAddress = james.ck.chien@foxconn.com
    error 7 at 0 depth lookup:certificate signature failure
    3067647712:error:04091068:rsa routines:INT_RSA_VERIFY:bad signature:rsa_sign.c:290:
    3067647712:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:218:
    root@am335x-evm:~# 

with the Same file and same Openssl verify command in OpenVPN server(Unbuntu desktop ) and another OpenVPN client(Unbuntu desktop) work fine.

Searching into the internet, it might cause by the default_md settings in easy-rsa settings, So I have try changing default_md to md5, sha1, sha256, I try all but all fails… still gettings the same error.

Can anyone suggest why openssl in my ARMS will fail to verify the certificate, any additional I should check? I already get stuck on this for some hours, I appreciate for your help!!

Best Regards
james