Server TLS key changes on restart

[vchav73]

I am running a OpenVPN 2.4.3 server inside a Docker container hosted on a Linux server using the server config shown below. I am able to connect clients no problem until I restart the server and I start getting "TLS Error: TLS handshake failed" in the client. I traced the problem back to the TLS key file being changed on the server. After experimentation I've determined that the TLS key change is triggered by the server restart.

I'm guessing I am missing something in my config which is causing this, but after a lot of googling, forum searching, and documentation reviews I haven't been able to figure out why. Anyone have suggestions?

Code: Select all

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
ccd-exclusive
client-to-client
keepalive 10 120
tls-auth ta.key 0
comp-lzo
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log /var/log/openvpn/openvpn.log
verb 4
explicit-exit-notify 1
cipher AES-256-CBC
auth SHA512
tls-version-min 1.2
tls-cipher TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384:TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA:TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so "openvpn"
script-security 1
mode server
tls-server
reneg-sec 86400
writepid /var/run/openvpn-server/server.pid

[TinCanTech]

Please see:
HOWTO: Request Help !

[vchav73]

Thanks for the reply.

This ended up being a problem with the entrypoint script in my Docker container, so it's unrelated to OpenVPN.