Certificate renewed but openVPN client displays invalid certificate ?

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
Terranon
OpenVpn Newbie
Posts: 8
Joined: Mon Jun 22, 2020 12:08 pm

Certificate renewed but openVPN client displays invalid certificate ?

Post by Terranon » Mon Jun 22, 2020 12:23 pm

Hello everyone,

After expiration of the certificate I proceed to a successful renewal.
Only when I try to connect my OpenVPN client shows that the certificate has expired.

I compared my certificates and nothing differs.

All network clients have the same problem.

Do you have an idea ?

Here is what the log displays :

Code: Select all

Mon Jun 22 13:54:28 2020 TCP_CLIENT link remote: [AF_INET]217.128.67.239:1194
Mon Jun 22 13:54:29 2020 VERIFY ERROR: depth=0, error=certificate has expired: CN=*****************
Mon Jun 22 13:54:29 2020 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Mon Jun 22 13:54:29 2020 TLS_ERROR: BIO read tls_read_plaintext error
Mon Jun 22 13:54:29 2020 TLS Error: TLS object -> incoming plaintext read error
Mon Jun 22 13:54:29 2020 TLS Error: TLS handshake failed
Best regards,
--
Terranon
Last edited by Pippin on Mon Jun 22, 2020 12:52 pm, edited 1 time in total.
Reason: Formatting

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by TinCanTech » Mon Jun 22, 2020 1:10 pm

Terranon wrote:
Mon Jun 22, 2020 12:23 pm
After expiration of the certificate I proceed to a successful renewal
It would appear to be not so successful .. how did you renew ?

Terranon
OpenVpn Newbie
Posts: 8
Joined: Mon Jun 22, 2020 12:08 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Terranon » Mon Jun 22, 2020 2:01 pm

Yes the VPN server did not display any error message when renewing the certificate
The VPN server is on a Synology NAS.

The renewal procedure is available through the Synology GUI:
Select: Renew the certificate, then Next

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by TinCanTech » Mon Jun 22, 2020 3:10 pm

I believe it is the client certificate which has expired.

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Pippin » Mon Jun 22, 2020 5:37 pm

IIUC the certificate changed, you have to re-export the client configuration in OpenVPN Server (in DSM).
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

Terranon
OpenVpn Newbie
Posts: 8
Joined: Mon Jun 22, 2020 12:08 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Terranon » Mon Jun 22, 2020 6:02 pm

I would have liked, but the versions of the certificate are identical on both sides.

Terranon
OpenVpn Newbie
Posts: 8
Joined: Mon Jun 22, 2020 12:08 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Terranon » Mon Jun 22, 2020 6:09 pm

Hello Pippin,
Re-export the client configuration in OpenVPN Server (in DSM) ? I look at this.

Terranon
OpenVpn Newbie
Posts: 8
Joined: Mon Jun 22, 2020 12:08 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Terranon » Mon Jun 22, 2020 6:37 pm

Sorry Pippin,
I don't see how to import the client configuration into the DSM.

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Pippin » Mon Jun 22, 2020 6:48 pm

You need to re-import that into your client.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

Terranon
OpenVpn Newbie
Posts: 8
Joined: Mon Jun 22, 2020 12:08 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Terranon » Mon Jun 22, 2020 7:08 pm

Export the client configuration from DSM and import the files into the client configuration.
Yes, I already did this Pippin before opening my ticket on the forum.
I also restarted the VPN server as well as the DSM, but that didn't change anything.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by TinCanTech » Mon Jun 22, 2020 7:40 pm

Looking again:
Terranon wrote:
Mon Jun 22, 2020 12:23 pm
Mon Jun 22 13:54:28 2020 TCP_CLIENT link remote: [AF_INET]217.128.67.239:1194
So this is the client log
Terranon wrote:
Mon Jun 22, 2020 12:23 pm
Mon Jun 22 13:54:29 2020 VERIFY ERROR: depth=0, error=certificate has expired: CN=*****************
Expired cert.
Terranon wrote:
Mon Jun 22, 2020 12:23 pm
Mon Jun 22 13:54:29 2020 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Server cert.

Probably explains this comment as well:
Terranon wrote:
Mon Jun 22, 2020 12:23 pm
All network clients have the same problem

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Pippin » Mon Jun 22, 2020 8:33 pm

Indeed @TinCanTech :)

There is a place in DSM, I think it's the certificates TAB, where you can select which service uses which certificate.
Is the correct certificate selected there?
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

Terranon
OpenVpn Newbie
Posts: 8
Joined: Mon Jun 22, 2020 12:08 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Terranon » Wed Jun 24, 2020 12:50 pm

@Pippin
I have only one certificate. No other parameters have been changed. My operation on the DSM only consisted in renewing the existing certificate. Where can I control the services ?

@TinCanTech and @Pippin
Can the problem come from a certificate verification process ? If so, how do you troubleshoot this verification process ?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by TinCanTech » Wed Jun 24, 2020 1:14 pm

Terranon wrote:
Wed Jun 24, 2020 12:50 pm
Can the problem come from a certificate verification process ? If so, how do you troubleshoot this verification process ?
Terranon wrote:
Mon Jun 22, 2020 12:23 pm
VERIFY ERROR: depth=0, error=certificate has expired: CN=*****************
The problem is quite clear and does not require troubleshooting..

Technically, the problem has nothing to do with openvpn.

Terranon
OpenVpn Newbie
Posts: 8
Joined: Mon Jun 22, 2020 12:08 pm

Re: Certificate renewed but openVPN client displays invalid certificate ?

Post by Terranon » Wed Jun 24, 2020 1:43 pm

Ok I close the discussion ; and thank you for your time.

Post Reply