client certificate renewal -> "client-provided SSL certs unexpectedly changed during mid-session reauth"

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

tgsbn
OpenVpn Newbie
Posts: 10
Joined: Mon Jan 10, 2022 1:11 pm

Re: client certificate renewal -> "client-provided SSL certs unexpectedly changed during mid-session reauth"

Post by tgsbn » Fri Jan 21, 2022 12:00 pm

Looks good!
I added the line

Code: Select all

explicit-exit-notify 1
to testwadiya's client.conf, and couldn't reproduce the problem with that configuration.
After another certificate renewal and reboot the tunnel came up fine:

Code: Select all

Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 TLS: Initial packet from [AF_INET]cli.ent.ip.addr:1194, sid=ae58e23f 212c3bed
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 VERIFY OK: depth=1, C=deleted
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 VERIFY OK: depth=0, C=deleted
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_VER=2.4.7
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_PLAT=linux
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_PROTO=2
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_NCP=2
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_LZ4=1
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_LZ4v2=1
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_LZO=1
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_COMP_STUB=1
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_COMP_STUBv2=1
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 peer info: IV_TCPNL=1
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 4096 bit RSA
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: cli.ent.ip.addr:1194 [testwadiya.africa.a-net.de] Peer Connection Initiated with [AF_INET]cli.ent.ip.addr:1194
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 OPTIONS IMPORT: reading client specific options from: ccd/testwadiya.africa.a-net.de
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 MULTI: Learn: 10.87.72.131 -> testwadiya.africa.a-net.de/cli.ent.ip.addr:1194
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 MULTI: primary virtual IP for testwadiya.africa.a-net.de/cli.ent.ip.addr:1194: 10.87.72.131
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 MULTI: internal route 10.72.131.0/24 -> testwadiya.africa.a-net.de/cli.ent.ip.addr:1194
Jan 21 10:39:24 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 MULTI: Learn: 10.72.131.0/24 -> testwadiya.africa.a-net.de/cli.ent.ip.addr:1194
Jan 21 10:39:25 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 PUSH: Received control message: 'PUSH_REQUEST'
Jan 21 10:39:25 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 SENT CONTROL [testwadiya.africa.a-net.de]: 'PUSH_REPLY,route 10.103.0.0 255.255.0.0,route 10.102.0.0 255.255.0.0,<deleted>,push-continuation 2' (status=1)
Jan 21 10:39:25 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 SENT CONTROL [testwadiya.africa.a-net.de]: 'PUSH_REPLY,<deleted>,topology p2p,ping 60,ping-restart 240,ifconfig 10.87.72.131 10.87.0.1,peer-id 5,cipher AES-256-GCM,push-continuation 1' (status=1)
Jan 21 10:39:25 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 Data Channel: using negotiated cipher 'AES-256-GCM'
Jan 21 10:39:25 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Jan 21 10:39:25 s-laugz2ovpn02 openvpn[736]: testwadiya.africa.a-net.de/cli.ent.ip.addr:1194 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
I don't see any downside to that setting, so I'll stage it for rollout to the production clients and watch whether it fixes the problem reliably.

Thanks so far!

tgsbn
OpenVpn Newbie
Posts: 10
Joined: Mon Jan 10, 2022 1:11 pm

Re: client certificate renewal -> "client-provided SSL certs unexpectedly changed during mid-session reauth"

Post by tgsbn » Mon Jan 31, 2022 8:15 pm

Confirmed. The setting reliably avoids the problem, with no ill side effects.
Thanks again!

Post Reply