| View previous topic :: View next topic |
| Author |
Message |
Blind_Sniper
Guru
Joined: 20 Apr 2018
Posts: 340
|
 Posted: Sat Mar 18, 2023 10:07 am Post subject: Outdated certificate? |
 |
|
Hi there!
Yet yesterday it worked fine, but today I can't start openvpn:
| Code: | $ sudo openvpn --config vpngate_126.4.181.139_udp_1985.ovpn
2023-03-18 13:02:02 DEPRECATED OPTION: --cipher set to 'AES-128-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-128-CBC' to --data-ciphers or change --cipher 'AES-128-CBC' to --data-ciphers-fallback 'AES-128-CBC' to silence this warning.
2023-03-18 13:02:02 OpenVPN 2.5.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 18 2023
2023-03-18 13:02:02 library versions: OpenSSL 1.1.1t 7 Feb 2023, LZO 2.10
2023-03-18 13:02:02 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2023-03-18 13:02:02 TCP/UDP: Preserving recently used remote address: [AF_INET]126.4.181.139:1985
2023-03-18 13:02:02 Socket Buffers: R=[212992->212992] S=[212992->212992]
2023-03-18 13:02:02 UDP link local: (not bound)
2023-03-18 13:02:02 UDP link remote: [AF_INET]126.4.181.139:1985
2023-03-18 13:02:03 TLS: Initial packet from [AF_INET]126.4.181.139:1985, sid=875d51e0 8b4abe36
2023-03-18 13:02:03 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
2023-03-18 13:02:03 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
2023-03-18 13:02:03 VERIFY ERROR: depth=0, error=certificate has expired: CN=opengw.net, serial=270090734479764202226505740823661288419396
2023-03-18 13:02:03 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
2023-03-18 13:02:03 TLS_ERROR: BIO read tls_read_plaintext error
2023-03-18 13:02:03 TLS Error: TLS object -> incoming plaintext read error
2023-03-18 13:02:03 TLS Error: TLS handshake failed
2023-03-18 13:02:03 SIGUSR1[soft,tls-error] received, process restarting
2023-03-18 13:02:03 Restart pause, 5 second(s) |
Seems certificate has expired, so I updated it as it described in gentoo wiki (update-ca-certificates), rebooted and re-run openvpn again. The same error. Tried to reinstall certificates as well (emerge --oneshot app-misc/ca-certificates).
What's wrong with my certificates? Yesterday it worked...
_________________
GNU is Not Usable |
|
| Back to top |
|
 |
madmin
n00b
Joined: 04 Nov 2018
Posts: 26
|
| Posted: Sat Mar 18, 2023 11:12 am Post subject: |
|
|
Hey,
Warning:
First you shall anonymize the command you've launched as for now it shows your server IP address, the port number and the protocol to use.
Same things for the text returned by your command.
Now, your issue.
Certificate issue can be due to lack of cryptographic binaries (perhaps named ciphers), a discrepancy between server and client configuration (some ciphers using by one side may be refused by the other side) and more generally, that can be due to expired certificate.
The simplest is to check if certificate as expired, so:
By editing the ovpn file, your client certificate should be shown. You can extract that certificate and check its validity using openssl.
Extraction: the certificate format shall be looking like that:
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
Simply copy all that data, including both lines "BEGIN CERTIFICATE" & "END CERTIFICATE" and put that into a file.
Check:
| Code: | | openssl x509 -text -noout -in /path/to/extracted_cert.crt |
Look for "Validity" information in the result of that command.
Cheers |
|
| Back to top |
|
|
Blind_Sniper
Guru
Joined: 20 Apr 2018
Posts: 340
|
| Posted: Sat Mar 18, 2023 11:34 am Post subject: |
|
|
I forgot to say, this error occurs on every vpn server I trying to connect, so it's not a server's certificate issue. I've extracted cert from ovpn and checked it:
| Code: | Certificate:
Data:
Version: 3 (0x2)
Serial Number:
12:34:12:34:12:34:12:34:12:34:12:34:12:34:12:34
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Jun 4 11:04:38 2015 GMT
Not After : Jun 4 11:04:38 2035 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption |
It shows that expiration date is jun 04 2035. So I think I have issue with local certificates. Though I updated them and, moreover, reinstalled them all
_________________
GNU is Not Usable |
|
| Back to top |
|
|
hdcg
Tux's lil' helper
Joined: 07 Apr 2013
Posts: 120
|
| Posted: Sat Mar 18, 2023 11:57 am Post subject: |
|
|
Hi Blind_Sniper,
the ssl error is due to the server certificate. You checked the root certificate.
| Code: |
2023-03-18 13:02:03 VERIFY OK: depth=2, C=US, O=Internet Security Research Group, CN=ISRG Root X1
2023-03-18 13:02:03 VERIFY OK: depth=1, C=US, O=Let's Encrypt, CN=R3
2023-03-18 13:02:03 VERIFY ERROR: depth=0, error=certificate has expired: CN=opengw.net, serial=270090734479764202226505740823661288419396
|
Looks like the Let's Encrypt issued certificate was not updated on the server.
Best Regards,
Holger |
|
| Back to top |
|
|
Blind_Sniper
Guru
Joined: 20 Apr 2018
Posts: 340
|
| Posted: Sat Mar 18, 2023 12:37 pm Post subject: |
|
|
| Quote: | | Looks like the Let's Encrypt issued certificate was not updated on the server. |
I tried 18 different servers from USA, Germany, Japan, Korea, Vietnam, Thailand and Australia.
Does they all use the same certificate?
And what should I do to solve my issue?
_________________
GNU is Not Usable |
|
| Back to top |
|
|
hdcg
Tux's lil' helper
Joined: 07 Apr 2013
Posts: 120
|
| Posted: Sat Mar 18, 2023 1:28 pm Post subject: |
|
|
Get in touch with them. It would be good to know why they are not updating their software stack. The normal lifetime for Let's Encrypt certificates is 90 days.
I checked some servers from their homepage and it looks like the generaly suffer from this.
| Code: | > openssl s_client -connect vpn431396938.opengw.net:443 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = opengw.net
verify error:num=10:certificate has expired
notAfter=Mar 18 06:48:33 2023 GMT
verify return:1
|
A look at their forum confirms this too: https://forum.vpngate.net/viewtopic.php?f=11&t=68210
Best Regards,
Holger |
|
| Back to top |
|
|
Blind_Sniper
Guru
Joined: 20 Apr 2018
Posts: 340
|
| Posted: Sat Mar 18, 2023 1:35 pm Post subject: |
|
|
Yeah, I found that topic and bookmarked it already, waiting for any info from there
_________________
GNU is Not Usable |
|
| Back to top |
|
|
ritzmax72
Tux's lil' helper
Joined: 10 Aug 2014
Posts: 82
|
| Posted: Wed Apr 05, 2023 7:11 am Post subject: |
|
|
| Do system update which updates the certificates as well. |
|
| Back to top |
|
|
Hu
Moderator
Joined: 06 Mar 2007
Posts: 21619
|
| Posted: Wed Apr 05, 2023 11:45 am Post subject: |
|
|
| System updates might update the certificate authority list. The problem reported here appears to be that the end site certificate expired, and was not replaced before its expiration. A system update will not help with that, because it is an error on the server. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
