OpenVPN Server Web UI not loading

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
erp-sunny
OpenVpn Newbie
Posts: 3
Joined: Wed Sep 15, 2021 4:23 pm

OpenVPN Server Web UI not loading

Post by erp-sunny » Wed Sep 15, 2021 4:31 pm

Getting Secure Connection Failed error message when accessing OPenVPN Server Web UI

An error occurred during a connection to xx.xxx.xx.xx. PR_END_OF_FILE_ERROR

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

From investigation, I see the sacli is returning some certificate error

Code: Select all

./sacli start                                                    
RunStart warm None
{
  "errors": {
    "client_query": [
      [
        "error", 
        "service failed to validate"
      ]
    ], 
    "cs.ca_bundle": [
      [
        "error", 
        "cert bundle validation error: [Errno 2] No such file or directory: u'': util/cdict:298,pki/validcert:14,pki/validc
ert:11,util/valid:119,util/simplefile:23 (exceptions.IOError)"
      ]
    ], 
    "cs.cert": [
      [
        "error", 
        "certificate validation error: [('PEM routines', 'get_name', 'no start line')]: util/cdict:298,pki/validcert:21,pki
/validcert:18,OpenSSL/crypto:1947,OpenSSL/_util:54 (OpenSSL.crypto.Error)"
      ]
    ], 
    "cs.priv_key": [
      [
 [
        "error", 
        "private key validation error: [('PEM routines', 'get_name', 'no start line')]: util/cdict:298,pki/validcert:28,pki
/validcert:25,OpenSSL/crypto:2934,OpenSSL/_util:54 (OpenSSL.crypto.Error)"
      ]
    ], 
    "web": [
      [
        "error", 
        "service failed to validate"
      ]
    ]
  }, 
  "last_restarted": "Wed Sep 15 15:21:02 2021", 
  "service_status": {
    "api": "on", 
    "auth": "on", 
    "bridge": "on", 
    "client_query": "off", 
    "crl": "on", 
    "daemon_pre": "on", 
    "db_push": "on",
    "ip6tables_live": "on", 
    "ip6tables_openvpn": "on", 
    "iptables_live": "on", 
    "iptables_openvpn": "on", 
    "iptables_web": "off", 
    "log": "on", 
    "openvpn_0": "on", 
    "subscription": "on", 
    "user": "on", 
    "web": "off"
  }
}
WILL_RESTART []
ERROR: restart failed (ERRBACK)
I also looked into the log and found the following error and I'm not sure how to fix this? and is this why I'm unable to access the web ui?

Code: Select all

2021-09-14T19:58:23+0000 [stdout#info] [OVPN 0] OUT: 'Tue Sep 14 19:58:23 2021 myip:11301 Connection reset, restarting [0]'
2021-09-14T19:58:23+0000 [stdout#info] [OVPN 0] OUT: 'Tue Sep 14 19:58:23 2021 myip:11301 SIGUSR1[soft,connection-reset] received, client-instance restarting'
2021-09-14T19:59:13+0000 [stdout#info] [OVPN 0] OUT: 'Tue Sep 14 19:59:13 2021 TCP connection established with [AF_INET]myip:10603'
2021-09-14T19:59:13+0000 [stdout#info] [OVPN 0] OUT: 'Tue Sep 14 19:59:13 2021 Socket flags: TCP_NODELAY=1 succeeded'
2021-09-14T19:59:13+0000 [stdout#info] [OVPN 0] OUT: 'Tue Sep 14 19:59:13 2021 myip:10603 WARNING: Bad encapsulated packet length from peer (5635), which must be > 0 and <= 1627 -- please ensure that --tun-mtu or -
-link-mtu is equal on both peers -- this condition could also indicate a possible active attack on the TCP link -- [Attempting restart...]'
2021-09-14T19:59:13+0000 [stdout#info] [OVPN 0] OUT: 'Tue Sep 14 19:59:13 2021 myip:10603 Connection reset, restarting [0]'
2021-09-14T19:59:13+0000 [stdout#info] [OVPN 0] OUT: 'Tue Sep 14 19:59:13 2021 myip:10603 SIGUSR1[soft,connection-reset] received, client-instance restarting'

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: OpenVPN Server Web UI not loading

Post by openvpn_inc » Wed Sep 15, 2021 6:44 pm

Hello erp-sunny,

There is something wrong with your certificates or the configuration of it. It's basically telling you what's wrong.

"error", "cert bundle validation error: [Errno 2] No such file or directory: u'':

Looks like the value for cs.ca_bundle is empty. The configuration key should either not be present at all (not set to empty) so it falls back to the built-in self-signed certificates, or it should contain a path to a file that contains the CA bundle, or it should contain the CA certificate bundle in-line. But it should not be empty, and it looks like it is empty.

"error", "certificate validation error: [('PEM routines', 'get_name', 'no start line')]:
"error", "private key validation error: [('PEM routines', 'get_name', 'no start line')]:

Looks like whatever you put into the cs.cert and cs.priv_key value is not valid, or whatever it is finding there doesn't have the correct start line that a PEM type certificate or private key should have.

It's no wonder that the web interface doesn't work right. It doesn't have what it needs to start up correctly. I suggest you roll Access Server back to self-signed certificates. That should get your web interface working again. And then work on putting the correct and valid certificates in.

I believe this document can help you further:
https://openvpn.net/vpn-server-resource ... rtificate/

Particularly these instructions will generate self-signed certificates and configure them for use in Access Server (run commands as root user):

Regenerate self-signed certificates (overwrites existing ones):
cd /usr/local/openvpn_as/scripts/
./certool -d /usr/local/openvpn_as/etc/web-ssl --type ca --unique --cn "OpenVPN Web CA"
./certool -d /usr/local/openvpn_as/etc/web-ssl --type server --remove_csr --sn_off --serial 1 --name server --cn vpn.example.com
./sacli start

Remove web certificates and keys from the configuration (so it falls back to self-signed certs you just created):
cd /usr/local/openvpn_as/scripts/
./sacli --key "cs.cert" ConfigDel
./sacli --key "cs.priv_key" ConfigDel
./sacli --key "cs.ca_bundle" ConfigDel
./sacli --key "cs.ca_key" ConfigDel
./sacli start

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

erp-sunny
OpenVpn Newbie
Posts: 3
Joined: Wed Sep 15, 2021 4:23 pm

Re: OpenVPN Server Web UI not loading

Post by erp-sunny » Wed Sep 15, 2021 7:59 pm

Hello Johan,
You are absolutely correct, the whole deployment was done via (code) I think we may have configured something incorrectly in the code but you directly got us back into the Access Server and we were able to manually upload the correct Cert and everything now works perfectly. Thank you so much for help :-) I know that this will definitely benefit someone else. Good work!

Post Reply