Scripts to manage certificates or generate config files
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
Terranon
- OpenVpn Newbie
- Posts: 8
- Joined: Mon Jun 22, 2020 12:08 pm
Post
by Terranon » Mon Jun 22, 2020 12:23 pm
Hello everyone,
After expiration of the certificate I proceed to a successful renewal.
Only when I try to connect my OpenVPN client shows that the certificate has expired.
I compared my certificates and nothing differs.
All network clients have the same problem.
Do you have an idea ?
Here is what the log displays :
Code: Select all
Mon Jun 22 13:54:28 2020 TCP_CLIENT link remote: [AF_INET]217.128.67.239:1194
Mon Jun 22 13:54:29 2020 VERIFY ERROR: depth=0, error=certificate has expired: CN=*****************
Mon Jun 22 13:54:29 2020 OpenSSL: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
Mon Jun 22 13:54:29 2020 TLS_ERROR: BIO read tls_read_plaintext error
Mon Jun 22 13:54:29 2020 TLS Error: TLS object -> incoming plaintext read error
Mon Jun 22 13:54:29 2020 TLS Error: TLS handshake failed
Best regards,
--
Terranon
Last edited by
Pippin on Mon Jun 22, 2020 12:52 pm, edited 1 time in total.
Reason: Formatting
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Mon Jun 22, 2020 1:10 pm
Terranon wrote: ↑Mon Jun 22, 2020 12:23 pm
After expiration of the certificate I proceed to a successful renewal
It would appear to be not so successful .. how did you
renew ?
-
Terranon
- OpenVpn Newbie
- Posts: 8
- Joined: Mon Jun 22, 2020 12:08 pm
Post
by Terranon » Mon Jun 22, 2020 2:01 pm
Yes the VPN server did not display any error message when renewing the certificate
The VPN server is on a Synology NAS.
The renewal procedure is available through the Synology GUI:
Select: Renew the certificate, then Next
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Mon Jun 22, 2020 3:10 pm
I believe it is the client certificate which has expired.
-
Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Post
by Pippin » Mon Jun 22, 2020 5:37 pm
IIUC the certificate changed, you have to re-export the client configuration in OpenVPN Server (in DSM).
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
-
Terranon
- OpenVpn Newbie
- Posts: 8
- Joined: Mon Jun 22, 2020 12:08 pm
Post
by Terranon » Mon Jun 22, 2020 6:02 pm
I would have liked, but the versions of the certificate are identical on both sides.
-
Terranon
- OpenVpn Newbie
- Posts: 8
- Joined: Mon Jun 22, 2020 12:08 pm
Post
by Terranon » Mon Jun 22, 2020 6:09 pm
Hello Pippin,
Re-export the client configuration in OpenVPN Server (in DSM) ? I look at this.
-
Terranon
- OpenVpn Newbie
- Posts: 8
- Joined: Mon Jun 22, 2020 12:08 pm
Post
by Terranon » Mon Jun 22, 2020 6:37 pm
Sorry Pippin,
I don't see how to import the client configuration into the DSM.
-
Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Post
by Pippin » Mon Jun 22, 2020 6:48 pm
You need to re-import that into your client.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
-
Terranon
- OpenVpn Newbie
- Posts: 8
- Joined: Mon Jun 22, 2020 12:08 pm
Post
by Terranon » Mon Jun 22, 2020 7:08 pm
Export the client configuration from DSM and import the files into the client configuration.
Yes, I already did this Pippin before opening my ticket on the forum.
I also restarted the VPN server as well as the DSM, but that didn't change anything.
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Mon Jun 22, 2020 7:40 pm
Looking again:
Terranon wrote: ↑Mon Jun 22, 2020 12:23 pm
Mon Jun 22 13:54:28 2020 TCP_CLIENT link remote: [AF_INET]217.128.67.239:1194
So this is the client log
Terranon wrote: ↑Mon Jun 22, 2020 12:23 pm
Mon Jun 22 13:54:29 2020 VERIFY ERROR: depth=0, error=certificate has expired: CN=*****************
Expired cert.
Terranon wrote: ↑Mon Jun 22, 2020 12:23 pm
Mon Jun 22 13:54:29 2020 OpenSSL: error:1416F086:SSL routines:
tls_process_server_certificate:certificate verify failed
Server cert.
Probably explains this comment as well:
Terranon wrote: ↑Mon Jun 22, 2020 12:23 pm
All network clients have the same problem
-
Pippin
- Forum Team
- Posts: 1201
- Joined: Wed Jul 01, 2015 8:03 am
- Location: irc://irc.libera.chat:6697/openvpn
Post
by Pippin » Mon Jun 22, 2020 8:33 pm
Indeed @TinCanTech
There is a place in DSM, I think it's the certificates TAB, where you can select which service uses which certificate.
Is the correct certificate selected there?
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp
-
Terranon
- OpenVpn Newbie
- Posts: 8
- Joined: Mon Jun 22, 2020 12:08 pm
Post
by Terranon » Wed Jun 24, 2020 12:50 pm
@Pippin
I have only one certificate. No other parameters have been changed. My operation on the DSM only consisted in renewing the existing certificate. Where can I control the services ?
@TinCanTech and @Pippin
Can the problem come from a certificate verification process ? If so, how do you troubleshoot this verification process ?
-
TinCanTech
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Post
by TinCanTech » Wed Jun 24, 2020 1:14 pm
Terranon wrote: ↑Wed Jun 24, 2020 12:50 pm
Can the problem come from a certificate verification process ? If so, how do you troubleshoot this verification process ?
Terranon wrote: ↑Mon Jun 22, 2020 12:23 pm
VERIFY ERROR: depth=0, error=
certificate has expired: CN=*****************
The problem is quite clear and does not require
troubleshooting..
Technically, the problem has nothing to do with openvpn.
-
Terranon
- OpenVpn Newbie
- Posts: 8
- Joined: Mon Jun 22, 2020 12:08 pm
Post
by Terranon » Wed Jun 24, 2020 1:43 pm
Ok I close the discussion ; and thank you for your time.