[Linksys] Error message: Peer certificate verification failure

This forum is for general conversation and user-user networking.
andrej.poljak
OpenVpn Newbie
Posts: 11
Joined: Sat Nov 19, 2022 1:58 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by andrej.poljak » Sun Nov 20, 2022 8:59 am

HI,

here are info of certs

CA cert
Certificate Information:
Common Name: Mamba
Organization: Linksys
Organization Unit: Belkin
Locality: Irvine
State: CA
Country: US
Valid From: November 19, 2022
Valid To: November 16, 2032
Issuer: Mamba, Linksys
Serial Number: ***************************

client cert
Certificate Information:
Common Name: client
Organization: Linksys
Organization Unit: Belkin
Locality: Irvine
State: CA
Country: US
Valid From: November 19, 2022
Valid To: November 16, 2032
Issuer: Mamba, Linksys
Serial Number: ***************************


BR,
Andrej

jaakdaniels
OpenVPN User
Posts: 37
Joined: Thu Oct 13, 2022 5:26 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by jaakdaniels » Sun Nov 20, 2022 11:59 am

Same here, even the dates. So you also generated them yesterday?
Time of mine is:

CA:
Not Before: Nov 19 14:21:47 2022 GMT
Not After : Nov 16 14:21:47 2032 GMT
Server:
Not Before: Nov 19 14:21:48 2022 GMT
Not After : Nov 16 14:21:48 2032 GMT

User avatar
steven424
OpenVpn Newbie
Posts: 7
Joined: Mon Oct 24, 2022 2:40 am

Re: [Linksys] Error message: Peer certificate verification failure

Post by steven424 » Sun Nov 20, 2022 5:20 pm

What concerns me about all the solutions that claim the certs are created the first time the router is turned on or after a hard reset, is that the begin and end times of just about every set of "Not Before / Not After" dates posted here are almost identical. If the certs are really dynamically created during an initialization, then the pairs of start/stop dates would be all over the map.

But they're not, which leads me to believe that the certs are baked into the firmware and only a new firmware update will deliver an up-to-date pair of certs. Those who were able to generate certs that expire in 2032, maybe you have a very early or very late 1.0.8 firmware version that most of us don't have.

Regardless, most owners do not have the level of technical knowledge and sophistication to perform most of the solutions posted in this forum. IMHO it is incumbent upon Linksys to provide an updated firmware file (1.0.9?) that is simply load-and-go, and recover its good name as a leader in high-end routers. I wonder what users who purchase a WRT3200ACM today are going to do when they discover the VPN feature is not working out of the box.

--- Steve

jaakdaniels
OpenVPN User
Posts: 37
Joined: Thu Oct 13, 2022 5:26 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by jaakdaniels » Sun Nov 20, 2022 6:10 pm

Hi Steve,

Linksys is expected to post an update next week. They should have a beta-release of the firmware. Currently the latest version is 1.0.8.199531.
Meanwhile i don't want to wait and searched for a workaround that kept me the certificates of the VPN valid.

You're probably right that most people do not have the technical knowledge, but hey, we do what we can, no?

Did you try my routine yet? I'ts easy! Just download the old SW, install it and let it reboot. Then press reset for 20 sec. with the red button and let it boot. After it has been fully booted, flip the power switch 3 times so it goed back to the first partition. When you switch it on for the 4th time, it should update the certificates with a validity up to 2032.

Regards, Jaak

ldm314
OpenVpn Newbie
Posts: 1
Joined: Sun Nov 20, 2022 9:14 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by ldm314 » Sun Nov 20, 2022 9:19 pm

jaakdaniels wrote:
Sat Nov 19, 2022 3:12 pm
Hi Andrej,

Thank you for your contribution. Had the same procedure but was not successfull every time. The difference was that i was not so patiently to wait 5 minutes... The question is, in logging you see the Router resetting the RTC to Jan 01, 1970. So it had no clue of time at boot moment and can only retrieve time from the internet. This happens at nearly the same time as te certificates are generated, so it's a timing issue from Linksys. They need to retrieve time and generate certificates AFTER the NTP-time is acquired.
I guess you were lucky, like i was only one time. Don't press that reset button again mate! :)

After 7 days of testing almost everything it seems i have a stable solution, at least, it worked 2 times in a row... :)
Almost everybody has FW 1.0.8.199531 installed. Me 2. So i thought, why not going to the time things DID work. After all, the definition of an upgrade/update is solve the known bugs and add unknown bugs...


So this is my procedure that worked twice in a row:

- I downgraded to FW version 1.0.5.175944 and gave the router a factory reset. You can find the FW here
(Details: I flashed both partitions with the serial cable in uBoot, but i asume it should also work downgrading just 1 partition)
- Let it boot and log in at 192.168.1.1 (I normally use Google Chrome, but this old FW only worked on the old Internet Explorer)
- Make a VPN profile and download the certificate. Check it at https://www.sslshopper.com/certificate-decoder.html
- The certificate should be valid until Dec 1, 2023
- If this is the case, restore the "older" software. You can do this in the firmware update menu or switch the router 3 times on and off for about 3 seconds. The 4th time the router will switch to FW 1.0.8.199531 again and generate new certificates valid until 2032


Good luck!
So I ran into this same thing today preparing to work remotely for the holiday. I've tried a couple hours now with the suggestions in this thread with no luck. With WAN and WPS button, waiting 5 minutes before WAN etc... all failed.

I don't have a serial cable setup to update firmware. I downloaded this old firmware, used the web interface to apply it, the result is a boot failure. After a few power cycles it goes back to 199531. This is with a 3200ACM.

andrej.poljak
OpenVpn Newbie
Posts: 11
Joined: Sat Nov 19, 2022 1:58 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by andrej.poljak » Sun Nov 20, 2022 9:29 pm

Hi Steve,

you can also try my scenario. It is may be more easy or Jaak's.

Scenario:
1. remove all UTP cables from all ports (WAN and LANs)
2. connect PC to LAN1, PC must has config the NIC card to get IP through DHCP
3. make hard reset, pushing red mini button for 20 seconds
4. wait 2 minutes to reboot route
5. login to router (192.168.1.1), use manual configuration, press IGNORE button when wizard tell you that you are not on internet
6. use "admin" password to login
7. wait to finish wizard and finishing login to the router
8. wait for 1-2 minutes
9. connect cable to WAN port, and now this is important, on WAN cable you must have internet
if you use PPPoE connection, than configure your ISP modem to make PPPoE session first, than
connect WAN cable. Then wait for a while to get modem correct date/time, you can check in
troubleshooting/report options, you can see router time and browser time
10. than go to OpenVPN options, create one user; username/password/save
11. not start OpenVPN server, but download .ovpn file
12. with link https://www.sslshopper.com/certificate-decoder.html you can check cert
or copy content of first and then second into file with filename cert.cer and then
open it with windows file explorer, and you can see info of certificate.

If you have WAN cable connected when making reset, the router reset, and at
start it detect WAN connection for a moment, and in this time router has
stored date in year 2012 and also certificate is create.

So important, not connect to WAN when making hard reset. Login in without WAN connection.
Wait for a while, connect to WAN cable with internet "signal", wait for a while to router get
right date/time, then configure OpenVPN.

I think certs are not baked into the firmware, but time and date are banked.
So Linksys guy must only make new firmware with new starting date/time, ex. 2022/11/11 12:00.

BR,
Andrej

Jaws
OpenVpn Newbie
Posts: 11
Joined: Wed Jan 02, 2019 10:25 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by Jaws » Mon Nov 21, 2022 7:07 pm

Well, I would like to know that Linksys would update the firmware for this line of routers to correct the out of date certificates. Can anyone verify there will be a new firmware update soon? I would wait for it rather than jumping through these hoops to generate a new certificate.

WRT3200ACM owner John.

jaakdaniels
OpenVPN User
Posts: 37
Joined: Thu Oct 13, 2022 5:26 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by jaakdaniels » Tue Nov 22, 2022 9:10 am

Wombatus wrote this on another page of this forum:
"Further to this, I was just notified by Belkin (Linksys support) that a beta fix will be released next week for the 3200ACM routers."
That would be THIS week...

andrej.poljak
OpenVpn Newbie
Posts: 11
Joined: Sat Nov 19, 2022 1:58 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by andrej.poljak » Tue Nov 22, 2022 6:46 pm

Hi,

Yes this is a "hard" work. Only put in firmware new default start date and time, and that is all. But they need
guy who can do these, I hope they have someone.

But as I say, you can make
backup
hard reset without cable in WAN port
wait to reboot
login with PC connected on LAN port (use admin as password) 192.168.1.1
use local connection mode, not some Smart Linksys mode
ignore message "router can not access internet"
wait to finish loading GUI of the router
connect WAN port, this cable must have internet
define one VPN user
download ovpn file, and check CA and client certificate
restore old settings

On my side works without any problems.

BR,
Andrej

jaakdaniels
OpenVPN User
Posts: 37
Joined: Thu Oct 13, 2022 5:26 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by jaakdaniels » Tue Nov 22, 2022 9:04 pm

Andrej, did you manage to reproduce this result or happened it just once? If i have to guess it happened only once? I also managed it once but could not reproduce it because the only moment the router sets the time, is after you plug in the wan cable. Once you have wan-connection the certificates are generated. Timings vary.

andrej.poljak
OpenVpn Newbie
Posts: 11
Joined: Sat Nov 19, 2022 1:58 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by andrej.poljak » Tue Nov 22, 2022 9:32 pm

Hi,

yes, I tried everything, and at the last attempt with upper scenario
I got good certificate, and then I not touch anything else :-)

Now works. I also deactivate auto download new firmware.

BR,
Andrej

p.s.
and yes, you can be right about WAN. The router has some old default date/time
and with connect to WAN (must be on interne), router get with NTP servers
the correct date/time, but when certificate create, hm hm, if after
this is OK, if before then not OK , old date/time.

p.p.s
I non-stop ping 8.8.8.8 and 192.168.1.1
WAN and on LAN connected
Make hard reset
IP 8.8.8.8 and 192.168.1.1 was down
When route reboot, IP 192.168.1.1 start ping, but not 8.8.8.8
wait some time, login in, and use local, manual setup/login, and
between this action 8.8.8.8 start ping, so WAN port is on with
first login, and certificate is not good, because between rebooting
I have connected router to WAN. At last attempt I made exact the same,
but no WAN connect. WAN connected latter.

nico_ar
OpenVpn Newbie
Posts: 3
Joined: Wed Mar 31, 2021 10:30 am

Re: [Linksys] Error message: Peer certificate verification failure

Post by nico_ar » Sat Nov 26, 2022 7:08 am

Hi everybody
Finally Linksys have fixed this issue after releasing the beta 1.0.9.211585. After update a factory reset is required and a fresh new install, otherwise it won't work. I do not know if the beta is already uploaded on their official site. Meanwhile, if someone is interested, I can share the link at request.
Have a nice day!

User avatar
Pippin
Forum Team
Posts: 1184
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: [Linksys] Error message: Peer certificate verification failure

Post by Pippin » Sat Nov 26, 2022 12:12 pm

Hi,

There is already a link shared on this forum:
viewtopic.php?t=34892&start=40#p109664

As noted there, be cautious or just wait till it's officially available for download.
.
I gloomily came to the ironic conclusion that if you take a highly intelligent person and give them the best possible, elite education, then you will most likely wind up with an academic who is completely impervious to reality.
Halton Arp

Solarstar
OpenVpn Newbie
Posts: 2
Joined: Mon Nov 28, 2022 12:03 am

Re: [Linksys] Error message: Peer certificate verification failure

Post by Solarstar » Mon Nov 28, 2022 12:24 am

What about firmware for the WRT1900ACv2? It is doubtful there will be any new firmware for the 1900.

I tried the listed work arounds with very mixed results and no valid certs yet. My issue is complicated because I have to setup PPPoE to get a WAN connect to NTP Servers. I have waited 5 mins before touching the OPEN GUI.

1st - I flashed back to firmware 2.0.7.x and had a valid cert but powered off to connected back 2 USB hard drives. When I power back on and restored firmware to 2.0.8.x and restore my 11-26-2022 config. The clientconfig.ovpn file was blank at 1KB vs the usual 6.8K file. It was pretty disappointing, I was close.

2nd - Ran through the factory reset steps again on 2.0.8.x. However, the <ca> is Oct 2012 but the <cert> is Dec 2023.

milos.vanco
OpenVpn Newbie
Posts: 1
Joined: Tue Dec 06, 2022 8:44 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by milos.vanco » Tue Dec 06, 2022 8:48 pm

I am happy to confirm I was able to generate a valid OpenVPN certificate that works and has expiration set to 2032 using this procedure on my WRT1900ACS router. Thanks Andrej
andrej.poljak wrote:
Sun Nov 20, 2022 9:29 pm
Hi Steve,

you can also try my scenario. It is may be more easy or Jaak's.

Jaws
OpenVpn Newbie
Posts: 11
Joined: Wed Jan 02, 2019 10:25 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by Jaws » Fri Dec 09, 2022 12:22 am

I too did the process stated above and got a new date on my certificate from 2022 to 2032. I try to connect using a valid certificate and still get a failure notice.

Here is the error from the open vpn log file.

⏎[Dec 8, 2022, 19:15:33] Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=7040 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
⏎[Dec 8, 2022, 19:15:33] EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=7040 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed⏎[Dec 8, 2022, 19:15:33] EVENT: DISCONNECTED ⏎[Dec 8, 2022, 19:15:36] Raw stats on disconnect:
BYTES_IN : 2365
BYTES_OUT : 339
PACKETS_IN : 4
PACKETS_OUT : 3
SSL_ERROR : 1
CERT_VERIFY_FAIL : 1

⏎[Dec 8, 2022, 19:15:36] Performance stats on disconnect:
CPU usage (microseconds): 2737936
Network bytes per CPU second: 987
Tunnel bytes per CPU second: 0

andrej.poljak
OpenVpn Newbie
Posts: 11
Joined: Sat Nov 19, 2022 1:58 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by andrej.poljak » Fri Dec 09, 2022 11:56 am

Jaws wrote:
Fri Dec 09, 2022 12:22 am
I too did the process stated above and got a new date on my certificate from 2022 to 2032. I try to connect using a valid certificate and still get a failure notice.

Here is the error from the open vpn log file.

⏎[Dec 8, 2022, 19:15:33] Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=7040 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
⏎[Dec 8, 2022, 19:15:33] EVENT: CERT_VERIFY_FAIL OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=7040 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed⏎[Dec 8, 2022, 19:15:33] EVENT: DISCONNECTED ⏎[Dec 8, 2022, 19:15:36] Raw stats on disconnect:
BYTES_IN : 2365
BYTES_OUT : 339
PACKETS_IN : 4
PACKETS_OUT : 3
SSL_ERROR : 1
CERT_VERIFY_FAIL : 1

⏎[Dec 8, 2022, 19:15:36] Performance stats on disconnect:
CPU usage (microseconds): 2737936
Network bytes per CPU second: 987
Tunnel bytes per CPU second: 0
Hi,
so you download new .ovpn file from router. Open with Notepad++ this file.
You will see two times
-----BEGIN CERTIFICATE-----
:
:
:
:
-----END CERTIFICATE-----

first is CA and second is client certificate. OK.
Now copy form first from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- (include also these two lines)
Go to link https://www.sslshopper.com/certificate-decoder.html
Paste content to window- At the bottom you can see info, date ......
First and the second must have 'Valid to': 2023 ..............

Jaws
OpenVpn Newbie
Posts: 11
Joined: Wed Jan 02, 2019 10:25 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by Jaws » Fri Dec 09, 2022 8:49 pm

Hi,
so you download new .ovpn file from router. Open with Notepad++ this file.
You will see two times
-----BEGIN CERTIFICATE-----
:
:
:
:
-----END CERTIFICATE-----

first is CA and second is client certificate. OK.
Now copy form first from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- (include also these two lines)
Go to link https://www.sslshopper.com/certificate-decoder.html
Paste content to window- At the bottom you can see info, date ......
First and the second must have 'Valid to': 2023 ..............
[/quote]

Ok I did this and it says the following
Valid From: October 10, 2012
Valid To: October 8, 2022

So the certificate is still invalid but inside the client certificate there is a line that says the following

Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=Irvine, O=Linksys, OU=Belkin, CN=Mamba/name=BlackMamba/emailAddress=support@linksys.com
Validity
Not Before: Dec 3 16:30:31 2022 GMT
Not After : Nov 30 16:30:31 2032 GMT

These dates are what changed for me when I had reset the router. Am I missing a step?

Jaws
OpenVpn Newbie
Posts: 11
Joined: Wed Jan 02, 2019 10:25 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by Jaws » Fri Dec 09, 2022 10:56 pm

I have also noticed there are 3 certificates inside the clientconfig.ovpn file. The is the first one that has <ca> BEGIN CERTIFICATE -- to END CERTIFICATE </ca>
Then another several lines down that has ---BEGIN CERTIFICATE to END CERTIFICATE ---
Then a final one that is --- BEGIN PRIVATE KEY --- to END PRIVATE Key

I use the link for the first key and is says it is valid from Valid From: October 10, 2012
Valid To: October 8, 2022.

When I enter the second key is says it is Valid From: December 3, 2022
Valid To: November 30, 2032.

Is it possible that they router is generating two keys now?

andrej.poljak
OpenVpn Newbie
Posts: 11
Joined: Sat Nov 19, 2022 1:58 pm

Re: [Linksys] Error message: Peer certificate verification failure

Post by andrej.poljak » Sat Dec 10, 2022 8:47 am

Hi,

yes, you are right.
First is CA, second is client cert, and last is private key.

And I had also the same issue as you, but when I try few times more,
I got also the CA valid to 2023. So try and hope, and test the
first certificate (CA), because you can not see valid info in file, you
must use the https:\....... link, in file you see valid info for client cert.

BR,
Andrej

Post Reply