Certificate renewed but openVPN client displays invalid certificate ?

Scripts to manage certificates or generate config files
Post Reply
Terranon
OpenVpn Newbie
Posts: 8
Joined: Mon Jun 22, 2020 12:08 pm

Certificate renewed but openVPN client displays invalid certificate ?

Post by Terranon » Mon Jun 22, 2020 12:23 pm

Hello everyone,

After expiration of the certificate I proceed to a successful renewal.
Only when I try to connect my OpenVPN client shows that the certificate has expired.

I compared my certificates and nothing differs.

All network clients have the same problem.

Do you have an idea ?

Here is what the log displays :

Code: Select all

Mon Jun 22 13:54:28 2020 TCP_CLIENT link remote: [AF_INET]217.128.67.239:1194
Mon Jun 22 13:54:29 2020 VERIFY ERROR: depth=0, error=certificate has expired: CN=*****************
Mon Jun 22 13:54:29 2020 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Mon Jun 22 13:54:29 2020 TLS_ERROR: BIO read tls_read_plaintext error
Mon Jun 22 13:54:29 2020 TLS Error: TLS object -> incoming plaintext read error
Mon Jun 22 13:54:29 2020 TLS Error: TLS handshake failed
Best regards,
--
Terranon
Last edited by Pippin on Mon Jun 22, 2020 12:52 pm, edited 1 time in total.
Reason: Formatting

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by TinCanTech » Mon Jun 22, 2020 1:10 pm

Terranon wrote:
Mon Jun 22, 2020 12:23 pm
After expiration of the certificate I proceed to a successful renewal
It would appear to be not so successful .. how did you renew ?

Terranon
OpenVpn Newbie
Posts: 8
Joined: Mon Jun 22, 2020 12:08 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Terranon » Mon Jun 22, 2020 2:01 pm

Yes the VPN server did not display any error message when renewing the certificate
The VPN server is on a Synology NAS.

The renewal procedure is available through the Synology GUI:
Select: Renew the certificate, then Next

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by TinCanTech » Mon Jun 22, 2020 3:10 pm

I believe it is the client certificate which has expired.

User avatar
Pippin
Forum Team
Posts: 799
Joined: Wed Jul 01, 2015 8:03 am

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Pippin » Mon Jun 22, 2020 5:37 pm

IIUC the certificate changed, you have to re-export the client configuration in OpenVPN Server (in DSM).

Terranon
OpenVpn Newbie
Posts: 8
Joined: Mon Jun 22, 2020 12:08 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Terranon » Mon Jun 22, 2020 6:02 pm

I would have liked, but the versions of the certificate are identical on both sides.

Terranon
OpenVpn Newbie
Posts: 8
Joined: Mon Jun 22, 2020 12:08 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Terranon » Mon Jun 22, 2020 6:09 pm

Hello Pippin,
Re-export the client configuration in OpenVPN Server (in DSM) ? I look at this.

Terranon
OpenVpn Newbie
Posts: 8
Joined: Mon Jun 22, 2020 12:08 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Terranon » Mon Jun 22, 2020 6:37 pm

Sorry Pippin,
I don't see how to import the client configuration into the DSM.

User avatar
Pippin
Forum Team
Posts: 799
Joined: Wed Jul 01, 2015 8:03 am

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Pippin » Mon Jun 22, 2020 6:48 pm

You need to re-import that into your client.

Terranon
OpenVpn Newbie
Posts: 8
Joined: Mon Jun 22, 2020 12:08 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Terranon » Mon Jun 22, 2020 7:08 pm

Export the client configuration from DSM and import the files into the client configuration.
Yes, I already did this Pippin before opening my ticket on the forum.
I also restarted the VPN server as well as the DSM, but that didn't change anything.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by TinCanTech » Mon Jun 22, 2020 7:40 pm

Looking again:
Terranon wrote:
Mon Jun 22, 2020 12:23 pm
Mon Jun 22 13:54:28 2020 TCP_CLIENT link remote: [AF_INET]217.128.67.239:1194
So this is the client log
Terranon wrote:
Mon Jun 22, 2020 12:23 pm
Mon Jun 22 13:54:29 2020 VERIFY ERROR: depth=0, error=certificate has expired: CN=*****************
Expired cert.
Terranon wrote:
Mon Jun 22, 2020 12:23 pm
Mon Jun 22 13:54:29 2020 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Server cert.

Probably explains this comment as well:
Terranon wrote:
Mon Jun 22, 2020 12:23 pm
All network clients have the same problem

User avatar
Pippin
Forum Team
Posts: 799
Joined: Wed Jul 01, 2015 8:03 am

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Pippin » Mon Jun 22, 2020 8:33 pm

Indeed @TinCanTech :)

There is a place in DSM, I think it's the certificates TAB, where you can select which service uses which certificate.
Is the correct certificate selected there?

Terranon
OpenVpn Newbie
Posts: 8
Joined: Mon Jun 22, 2020 12:08 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Terranon » Wed Jun 24, 2020 12:50 pm

@Pippin
I have only one certificate. No other parameters have been changed. My operation on the DSM only consisted in renewing the existing certificate. Where can I control the services ?

@TinCanTech and @Pippin
Can the problem come from a certificate verification process ? If so, how do you troubleshoot this verification process ?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7389
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by TinCanTech » Wed Jun 24, 2020 1:14 pm

Terranon wrote:
Wed Jun 24, 2020 12:50 pm
Can the problem come from a certificate verification process ? If so, how do you troubleshoot this verification process ?
Terranon wrote:
Mon Jun 22, 2020 12:23 pm
VERIFY ERROR: depth=0, error=certificate has expired: CN=*****************
The problem is quite clear and does not require troubleshooting..

Technically, the problem has nothing to do with openvpn.

Terranon
OpenVpn Newbie
Posts: 8
Joined: Mon Jun 22, 2020 12:08 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Terranon » Wed Jun 24, 2020 1:43 pm

Ok I close the discussion ; and thank you for your time.

Post Reply