[Linksys] Peer certificate verification failure

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
raylo32
OpenVpn Newbie
Posts: 18
Joined: Fri Dec 14, 2018 12:02 am

[Linksys] Peer certificate verification failure

Post by raylo32 » Sun Oct 09, 2022 7:53 pm

Long time OpenVPN user, several years at least. I am currently remote and all of a sudden can't access my main VPN. Worked fine yesterday. I am getting the error "Peer certificate verification failure". I get the same error on my iPhone with the OpenVPN connect app there as I do on my Win 10 laptop. Is there a way to fix this whilst remote or will I need to get back home and create a new client certificate/profile??

And meanwhile I can still connect just fine to the VPN for another network at a different location.

BTW the network at the problem server is active as I can reach some cloud connected devices like thermostat. Maybe alls I need to do is reboot the router, but of course I can't do that remote without logging into the VPN. Catch 22...

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Peer certificate verification failure

Post by openvpn_inc » Mon Oct 10, 2022 8:35 am

Hello raylo32,

This sounds exactly like the problem reported here;
viewtopic.php?t=34871

Is this a Linksys device by any chance?

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

raylo32
OpenVpn Newbie
Posts: 18
Joined: Fri Dec 14, 2018 12:02 am

Re: Peer certificate verification failure

Post by raylo32 » Mon Oct 10, 2022 10:01 am

Yes, Linksys 3200ACM. never had a problem with this before. I read the thread you linked. Didn't see that this was ever resolved. I'll mess with this later today and if it doesn't work maybe time for a new router.

openvpn_inc wrote:
Mon Oct 10, 2022 8:35 am
Hello raylo32,

This sounds exactly like the problem reported here;
viewtopic.php?t=34871

Is this a Linksys device by any chance?

Kind regards,
Johan

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Peer certificate verification failure

Post by openvpn_inc » Mon Oct 10, 2022 11:03 am

Hello raylo32,

Quite disturbing actually to read about 2 Linksys 3200ACM routers that both have a built-in certificate with same date/time on it. Are they using the SAME certificate on all 3200ACM routers? That would be very bad for security. I hope I am wrong.

In any case, it's definitely an issue that Linksys caused and I hope they will be able to provide a solution. Otherwise, yes, a new router seems in order.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Peer certificate verification failure

Post by openvpn_inc » Mon Oct 10, 2022 11:24 am

Hey raylo32,

Since we have 2 reports about the same issue I would like to examine the CA certificate that you are using on your Linksys router. But only the public portion of it, which is safe to give out. The public portion is used by the client to verify the identity of the server, but doesn't contain anything that should remain private. To be clear, other items like private keys and such should remain private as they're part of the security of making a VPN connection, but the CA public portion is one that can be freely distributed to anyone without security risk.

There are two ways client connection files are presented to users - as a set of separate files, in which case the file called "ca.crt" or "ca.pem" or such will be the file I'm looking for (and definitely NOT client.crt or client.key). If you get 1 file that has the certificates embedded I'm looking for the portion between <ca> and </ca> (and definitely not <cert></cert> or <key></key>).

I would like to get this certificate file from both you and the other guy experiencing the same issue, and compare the two. If there are similarities between them it might mean that Linksys has done a very bad thing in terms of security. And I hope I'm wrong about it but I want to verify anyway. I'd really appreciate if you could help me in my investigation and send me that CA certificate file.

The best way to send it is at https://openvpn.net/support by registering on our main website (it's free) and sending in a support ticket and referencing this forum post - that way it's sent via a secure channel and I'll receive it there.

I hope you'll help me investigate this situation further,
Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

raylo32
OpenVpn Newbie
Posts: 18
Joined: Fri Dec 14, 2018 12:02 am

Re: Peer certificate verification failure

Post by raylo32 » Mon Oct 10, 2022 12:52 pm

Will do if I am able. Where would I find the ca.crt or ca.pem files? On my Windows notebook I don't see those anywhere in users>appdata>openvpnconnect
openvpn_inc wrote:
Mon Oct 10, 2022 11:24 am
Hey raylo32,

Since we have 2 reports about the same issue I would like to examine the CA certificate that you are using on your Linksys router. But only the public portion of it, which is safe to give out. The public portion is used by the client to verify the identity of the server, but doesn't contain anything that should remain private. To be clear, other items like private keys and such should remain private as they're part of the security of making a VPN connection, but the CA public portion is one that can be freely distributed to anyone without security risk.

There are two ways client connection files are presented to users - as a set of separate files, in which case the file called "ca.crt" or "ca.pem" or such will be the file I'm looking for (and definitely NOT client.crt or client.key). If you get 1 file that has the certificates embedded I'm looking for the portion between <ca> and </ca> (and definitely not <cert></cert> or <key></key>).

I would like to get this certificate file from both you and the other guy experiencing the same issue, and compare the two. If there are similarities between them it might mean that Linksys has done a very bad thing in terms of security. And I hope I'm wrong about it but I want to verify anyway. I'd really appreciate if you could help me in my investigation and send me that CA certificate file.

The best way to send it is at https://openvpn.net/support by registering on our main website (it's free) and sending in a support ticket and referencing this forum post - that way it's sent via a secure channel and I'll receive it there.

I hope you'll help me investigate this situation further,
Kind regards,
Johan

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Peer certificate verification failure

Post by openvpn_inc » Mon Oct 10, 2022 12:59 pm

Hello raylo32,

In your Linksys router, where you download and obtain the necessary files to install on the OpenVPN client side, you can find it.

Digging it out of the client side is not something OpenVPN Connect was designed for.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

raylo32
OpenVpn Newbie
Posts: 18
Joined: Fri Dec 14, 2018 12:02 am

Re: Peer certificate verification failure

Post by raylo32 » Mon Oct 10, 2022 1:54 pm

Sorry I am a little dense about this. In the router's OpenVPN page there are only 2 buttons related to this connection. One for the profile that shows the clientconfig file and an edit button for ports, protocol and ip address range.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Peer certificate verification failure

Post by openvpn_inc » Mon Oct 10, 2022 2:05 pm

Hello raylo32,

The button to show the client config file is the one we're looking for. It's just a text file, you can open it in a text editor like Notepad or whatever. In there will be a block that starts with <ca> and ends with </ca>. That's what I'm looking for.

I am hoping to compare with another such certificate from another user of the Linksys router to determine how big of a mess Linksys made of the situation with the certificates. We're either dealing with an unfortunate case of templates for generating certificates that all have the same dates in them, or we're dealing with a case of using the same CA's for all their routers, which would be a tremendous security risk. I am hoping to figure this out by gathering some information from Linksys router users.

Based on the results we'll be able to provide a clearer picture of the problem and the recommendations to solve it. However I am afraid this is something that only really Linksys can resolve as we have no role in generating or managing the certificates on the Linksys devices.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

raylo32
OpenVpn Newbie
Posts: 18
Joined: Fri Dec 14, 2018 12:02 am

Re: Peer certificate verification failure

Post by raylo32 » Mon Oct 10, 2022 2:18 pm

OK, that's easy. That file goes to the Windows downloads folder. I sent the requested excerpt to the support link above. Although I am not sure if I adequately completed the support site registration part. Let me know if I need to do anything else.

Edit: I got the confirmation that my ticket has been received.

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Peer certificate verification failure

Post by openvpn_inc » Mon Oct 10, 2022 3:04 pm

Hello raylo32,

Thank you for assisting us in figuring out what was going on. The good news is that the security aspect was sort of okay (although 1024 bit certificates these days are not the best to use anymore) because at least all the CAs appear to be unique. However, the expiration date is still a problem.

We've made an announcement on the forums and are now directing everyone there;
viewtopic.php?t=34874

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

raylo32
OpenVpn Newbie
Posts: 18
Joined: Fri Dec 14, 2018 12:02 am

Re: Peer certificate verification failure

Post by raylo32 » Mon Oct 10, 2022 6:39 pm

Back in business with ASUS RT-AX3000 router. I just changed the LAN ip range to match what I had, copied over the wifi setup, then set up the VPN. Easy peasy and VPN is back in business. With better security and significantly faster wired and wireless routing than the old 3200ACM. I got it locally at our Best Buy for $20 more than B&H, but they couldn't deliver until Friday. As Johan noted, it probably was time for this upgrade anyway if only for better security.

https://www.bhphotovideo.com/c/product/1554741-REG/asus_rt_ax3000_ax3000_dual_band_wi_fi.html/reviews?msclkid=3446422628621128863321624dca6fd6

jaakdaniels
OpenVPN User
Posts: 37
Joined: Thu Oct 13, 2022 5:26 pm

Re: [Linksys] Peer certificate verification failure

Post by jaakdaniels » Tue Nov 08, 2022 8:47 pm

Does anyone wants to know how to solve this? Was looking for 3 days to resolve this and oh man! We were looking MUCH too far!
Up and running VPN again for 10 years :p

Cheers! :)

jaakdaniels
OpenVPN User
Posts: 37
Joined: Thu Oct 13, 2022 5:26 pm

Re: [Linksys] Peer certificate verification failure

Post by jaakdaniels » Wed Nov 09, 2022 9:16 pm

Well, I'VE DID IT!!!
3 new certificates untill 2032 and VPN is up again!

Did more stuff together, so i don't know if every step is going to be usefull, but as long as it works...
The thing is, try to do as if it's first time use, out of the box. Restoring configuration will not affect the certificates AFTER they have been generated, but it certainly does BEFORE the certificates are generated.

1) Make a backup of your configuration
2) Remove the WAN cable and all other cables, leave only the cable from a LAN port to your computer to login
3) Hold "reset" pressed for 20 seconds, untill the front LED's go out and allow the router reboot (Old certificates are now erased)
4) Go to http://192.168.1.1 and login with "admin"
5) Configure the router BY HAND! Follow the steps as if it's your first time using it. The settings you do are not important
6) Follow this until the router complains about the missing WAN cable, and then connect the WAN cable
7) When the configuration is completed, download the *.ovpn file and check the "ca.crt" certificate-part
8) When it is valid you can restore your configuration. It does not affect the new certificates
9) Come back to this forum and let me know if it worked

Good luck to all!
Top

Post Reply