Can't Connect: Certificate Verify Failed

[wisbit]

Hi all,

it was all working well, then it didn't.
I setup my openvpn server about a year and a half ago, maybe 2. It's setup on a Debian 10 server.
I created several configuration files for several devices and accesses. All working very well, until this morning, when I got this error on my iPhone, iPad, and my partner's mac computer.

There was an error attempting to conncet to the selected server .
Error message:
OpenSSLContext::SSL::read_cleartext:
BIO_read failed, cap=2576 status=-1: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed

I create configuration files than contain all information needed for the connection: certs, etc.

Here are the several config files and logs.

View OriginalServerConfig

port 1194

proto udp

dev tun

ca /etc/openvpn/server/ca.crt

cert /etc/openvpn/server/wisbit-server.crt

key /etc/openvpn/server/wisbit-server.key

dh /etc/openvpn/server/dh.pem

server 10.8.0.0 255.255.255.0

push "redirect-gateway def1"

push "dhcp-option DNS 208.67.222.222"

push "dhcp-option DNS 208.67.220.220"

duplicate-cn

cipher AES-256-CBC

tls-version-min 1.2

tls-cipher ****************************************

#tls-auth /etc/openvpn/server/ta.key

auth SHA512

auth-nocache

keepalive 20 60

persist-key

persist-tun

# we'll check that later on
#comp-lz0

daemon

user nobody

group nogroup

log-append /var/log/openvpn.log

verb 3

View OriginalbaseConfig

dev tun
proto udp
remote wisbit.hopto.org 1194
resolv-retry infinite


nobind

user nobody
group nogroup

persist-key
persist-tun

# THESE FILES WILL BE INCORPORATED IN THE CLIENT CONFIG FILE
#ca ca.crt
#cert client.crt
#key client.key

remote-cert-tls server

# THIS FILE WILL BE INCORPORATED IN THE CLIENT CONFIG FILE
#tls-auth ta.key 1


cipher AES-256-CBC
auth SHA512


# CHECK THIS LATER enabled in the server config file.
# compress lzo

verb 3

key-direction 1


# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf

server logs:

Code: Select all

Thu Dec  9 09:24:10 2021 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
Thu Dec  9 09:24:10 2021 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Thu Dec  9 09:24:10 2021 Diffie-Hellman initialized with 2048 bit key
Thu Dec  9 09:24:12 2021 WARNING: Your certificate has expired!
Thu Dec  9 09:24:12 2021 ROUTE_GATEWAY 192.168.5.1/255.255.255.0 IFACE=enp63s0 HWADDR=00:23:7d:16:51:58
Thu Dec  9 09:24:12 2021 TUN/TAP device tun0 opened
Thu Dec  9 09:24:12 2021 TUN/TAP TX queue length set to 100
Thu Dec  9 09:24:12 2021 /sbin/ip link set dev tun0 up mtu 1500
Thu Dec  9 09:24:12 2021 /sbin/ip addr add dev tun0 local 10.8.0.1 peer 10.8.0.2
Thu Dec  9 09:24:12 2021 /sbin/ip route add 10.8.0.0/24 via 10.8.0.2
Thu Dec  9 09:24:12 2021 Could not determine IPv4/IPv6 protocol. Using AF_INET
Thu Dec  9 09:24:12 2021 Socket Buffers: R=[212992->212992] S=[212992->212992]
Thu Dec  9 09:24:12 2021 UDPv4 link local (bound): [AF_INET][undef]:1194
Thu Dec  9 09:24:12 2021 UDPv4 link remote: [AF_UNSPEC]
Thu Dec  9 09:24:12 2021 GID set to nogroup
Thu Dec  9 09:24:12 2021 UID set to nobody
Thu Dec  9 09:24:12 2021 MULTI: multi_init called, r=256 v=256
Thu Dec  9 09:24:12 2021 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Thu Dec  9 09:24:12 2021 Initialization Sequence Completed
Thu Dec  9 09:28:56 2021 91.86.42.88:62417 TLS: Initial packet from [AF_INET]91.86.42.88:62417, sid=c36734a0 68f72a17
Thu Dec  9 09:29:56 2021 91.86.42.88:62417 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Dec  9 09:29:56 2021 91.86.42.88:62417 TLS Error: TLS handshake failed
Thu Dec  9 09:29:56 2021 91.86.42.88:62417 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Dec  9 09:34:25 2021 91.86.42.88:65146 TLS: Initial packet from [AF_INET]91.86.42.88:65146, sid=222ace1d 2d88a20b
Thu Dec  9 09:35:25 2021 91.86.42.88:65146 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Dec  9 09:35:25 2021 91.86.42.88:65146 TLS Error: TLS handshake failed
Thu Dec  9 09:35:25 2021 91.86.42.88:65146 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Dec  9 09:40:52 2021 91.86.42.88:56821 TLS: Initial packet from [AF_INET]91.86.42.88:56821, sid=19f5bca9 6f54d6c4
Thu Dec  9 09:41:52 2021 91.86.42.88:56821 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Dec  9 09:41:52 2021 91.86.42.88:56821 TLS Error: TLS handshake failed
Thu Dec  9 09:41:52 2021 91.86.42.88:56821 SIGUSR1[soft,tls-error] received, client-instance restarting
Thu Dec  9 09:43:54 2021 event_wait : Interrupted system call (code=4)

createconfig.sh

Code: Select all

#!/bin/bash
# First argument: Client identifier

CLIENT_KEY_DIR=/etc/openvpn/client/client-keys

SERVER_KEY_DIR=/etc/openvpn/client/server-keys

OUTPUT_DIR=/etc/openvpn/client/files

BASE_CONFIG=/etc/openvpn/client/base.conf

touch  ${CLIENT_KEY_DIR}/${1}_name
echo ${1} > ${CLIENT_KEY_DIR}/${1}_name
cat ${CLIENT_KEY_DIR}/${1}_name \
    ${BASE_CONFIG} \
    <(echo -e '<ca>') \
    ${SERVER_KEY_DIR}/ca.crt \
    <(echo -e '</ca>\n<cert>') \
    ${CLIENT_KEY_DIR}/${1}.crt \
    <(echo -e '</cert>\n<key>') \
    ${CLIENT_KEY_DIR}/${1}.key \
    <(echo -e '</key>') \
    > ${OUTPUT_DIR}/${1}.ovpn

Thanks a lot for any help given.

WB
Let me know if there is anything else needed.

[wisbit]

I just noted that in the logs it's marked

WARNING: Your certificate has expired!

So I started the ca.crt and server.crt etc process from scratch to have new certificates.
But even after restarting the server, the warning is still there, and that I don't really understand.
Which certificates are concerned by this warning?

[TinCanTech]

You need to use the new files in the openvpn config file.

[wisbit]

You need to use the new files in the openvpn config file.

Thanks a lot for the response.
I am not sure I understand you right. Do you mean to tell me that I should create new config ovpn files and use them on remote devices ?
If that's what you meant, I can assure you that I got that covered, of course the old config files would not be working.
I generated new ovpn files but to no avail.

[TinCanTech]

I generated new ovpn files but to no avail.

define: generated


viewtopic.php?f=30&t=22603#p68963

[wisbit]

define: generated

I create a shell script that creates ovpn files using easyrsa functions and appends the crts, keys, etc...
I mentioned it in the OP.
Anywho, new ovpn files have been created since i reinitialised the pki etc. (related to the "warning your certificate has expired" that I saw in the openvpn.log, which I also posted in the OP)

[TinCanTech]

That would be an undefined shell script .. did you shellcheck it ?

You can also try this: https://github.com/TinCanTech/easy-tls

[wisbit]

That would be an undefined shell script .. did you shellcheck it ?

You can also try this: https://github.com/TinCanTech/easy-tls

I really appreciate the responses, but I don't really underestand the focus on the bash shell script I created in order to generate the ovpn files.
It worked amazingly for 2 years, until it didn't.
It's basically a script that creates clients keys and certificates using ./easy-rsa functions and then concatenates all information in an ovpn file, including certs.
Is there anything else in the files I sent in the OP that could be an clue as to why I have this error ?

[TinCanTech]

It would appear that your undisclosed script has bugs.

[wisbit]

Here are the
generation script, the base.conf (base for generating files, and and example client.ovpn

View OriginalOVPNfile Generation Script

#!/bin/bash
# First argument: Client identifier

# First argument: Client identifier

CLIENT_KEY_DIR=/etc/openvpn/easy-rsa/pki/private
CLIENT_CERT_DIR=/etc/openvpn/easy-rsa/pki/issued
SERVER_KEY_DIR=/etc/openvpn/client/server-keys

OUTPUT_DIR=/etc/openvpn/client/files

BASE_CONFIG=/etc/openvpn/client/base.conf

if [ $# -eq 1 ]; then

echo | ./easyrsa gen-req ${1} nopass
echo " "
echo "==> KEY FILE ${1}.key is generated"
echo " "
echo -ne 'yes' | ./easyrsa sign-req client ${1}
echo " "
echo "==> CERT FILE ${1}.crt is generated"
echo " "
echo " "
echo " "
touch ${OUTPUT_DIR}/${1}_name
echo ${1} > ${OUTPUT_DIR}/${1}_name
cat ${OUTPUT_DIR}/${1}_name \
${BASE_CONFIG} \
<(echo -e '<ca>') \
${SERVER_KEY_DIR}/ca.crt \
<(echo -e '</ca>\n<cert>') \
${CLIENT_CERT_DIR}/${1}.crt \
<(echo -e '</cert>\n<key>') \
${CLIENT_KEY_DIR}/${1}.key \
<(echo -e '</key>') \
> ${OUTPUT_DIR}/${1}.ovpn

echo " "
echo "==> ${1} CONFIGURATION FILE ${1}.ovpn is generated"
echo " "
echo " "
echo " "

else
echo "NO CLIENT CN"
fi

View Originalbase.conf

dev tun
proto udp
remote myserver.com port
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
verb 3
key-direction 1

View OriginalExample client.ovpn

client

dev tun
proto udp
remote myserver.com port
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
verb 3
key-direction 1

<ca>
-----BEGIN CERTIFICATE-----
BLABLABLA
-----END CERTIFICATE-----
</ca>

<cert>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
blabalabla
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=wisbit-server
Validity
Not Before: Dec 9 10:54:57 2021 GMT
Not After : Nov 15 10:54:57 2122 GMT
Subject: CN=client
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
BLABLABLA
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Key Identifier:
BLABLABLA
X509v3 Authority Key Identifier:
keyid:BLABLABLA
DirName:/CN=myserver
serial:BLABLABAL

X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage:
Digital Signature
Signature Algorithm: sha256WithRSAEncryption
BLABLABLA
-----BEGIN CERTIFICATE-----
BLABLABLA83G9+HlIljQbDPV4X8o332HqWK0HOb7oL
Pi6kQQ==
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
BLABLABLA
-----END PRIVATE KEY-----
</key>

[wisbit]

Server Log at verb 4

Code: Select all

Wed Dec 15 09:10:21 2021 us=582195 Current Parameter Settings:
Wed Dec 15 09:10:21 2021 us=582359   config = '/etc/openvpn/server.conf'
Wed Dec 15 09:10:21 2021 us=582377   mode = 1
Wed Dec 15 09:10:21 2021 us=582390   persist_config = DISABLED
Wed Dec 15 09:10:21 2021 us=582403   persist_mode = 1
Wed Dec 15 09:10:21 2021 us=582416   show_ciphers = DISABLED
Wed Dec 15 09:10:21 2021 us=582428   show_digests = DISABLED
Wed Dec 15 09:10:21 2021 us=582441   show_engines = DISABLED
Wed Dec 15 09:10:21 2021 us=582452   genkey = DISABLED
Wed Dec 15 09:10:21 2021 us=582465   key_pass_file = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=582477   show_tls_ciphers = DISABLED
Wed Dec 15 09:10:21 2021 us=582490   connect_retry_max = 0
Wed Dec 15 09:10:21 2021 us=582503 Connection profiles [0]:
Wed Dec 15 09:10:21 2021 us=582515   proto = udp
Wed Dec 15 09:10:21 2021 us=582528   local = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=582540   local_port = 'PORT'
Wed Dec 15 09:10:21 2021 us=582552   remote = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=582565   remote_port = 'PORT'
Wed Dec 15 09:10:21 2021 us=582577   remote_float = DISABLED
Wed Dec 15 09:10:21 2021 us=582589   bind_defined = DISABLED
Wed Dec 15 09:10:21 2021 us=582602   bind_local = ENABLED
Wed Dec 15 09:10:21 2021 us=582614   bind_ipv6_only = DISABLED
Wed Dec 15 09:10:21 2021 us=582626   connect_retry_seconds = 5
Wed Dec 15 09:10:21 2021 us=582639   connect_timeout = 120
Wed Dec 15 09:10:21 2021 us=582654   socks_proxy_server = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=582666   socks_proxy_port = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=582679   tun_mtu = 1500
Wed Dec 15 09:10:21 2021 us=582691   tun_mtu_defined = ENABLED
Wed Dec 15 09:10:21 2021 us=582704   link_mtu = 1500
Wed Dec 15 09:10:21 2021 us=582716   link_mtu_defined = DISABLED
Wed Dec 15 09:10:21 2021 us=582729   tun_mtu_extra = 0
Wed Dec 15 09:10:21 2021 us=582744   tun_mtu_extra_defined = DISABLED
Wed Dec 15 09:10:21 2021 us=582757   mtu_discover_type = -1
Wed Dec 15 09:10:21 2021 us=582769   fragment = 0
Wed Dec 15 09:10:21 2021 us=582782   mssfix = 1450
Wed Dec 15 09:10:21 2021 us=582795   explicit_exit_notification = 0
Wed Dec 15 09:10:21 2021 us=582807 Connection profiles END
Wed Dec 15 09:10:21 2021 us=582820   remote_random = DISABLED
Wed Dec 15 09:10:21 2021 us=582832   ipchange = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=582844   dev = 'tun'
Wed Dec 15 09:10:21 2021 us=582857   dev_type = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=582869   dev_node = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=582882   lladdr = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=582894   topology = 1
Wed Dec 15 09:10:21 2021 us=582907   ifconfig_local = 'IPADDR'
Wed Dec 15 09:10:21 2021 us=582919   ifconfig_remote_netmask = 'IPADDR'
Wed Dec 15 09:10:21 2021 us=582932   ifconfig_noexec = DISABLED
Wed Dec 15 09:10:21 2021 us=582944   ifconfig_nowarn = DISABLED
Wed Dec 15 09:10:21 2021 us=582956   ifconfig_ipv6_local = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=582969   ifconfig_ipv6_netbits = 0
Wed Dec 15 09:10:21 2021 us=582981   ifconfig_ipv6_remote = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=582994   shaper = 0
Wed Dec 15 09:10:21 2021 us=583006   mtu_test = 0
Wed Dec 15 09:10:21 2021 us=583018   mlock = DISABLED
Wed Dec 15 09:10:21 2021 us=583031   keepalive_ping = 20
Wed Dec 15 09:10:21 2021 us=583043   keepalive_timeout = 60
Wed Dec 15 09:10:21 2021 us=583056   inactivity_timeout = 0
Wed Dec 15 09:10:21 2021 us=583068   ping_send_timeout = 20
Wed Dec 15 09:10:21 2021 us=583081   ping_rec_timeout = 120
Wed Dec 15 09:10:21 2021 us=583093   ping_rec_timeout_action = 2
Wed Dec 15 09:10:21 2021 us=583105   ping_timer_remote = DISABLED
Wed Dec 15 09:10:21 2021 us=583118   remap_sigusr1 = 0
Wed Dec 15 09:10:21 2021 us=583130   persist_tun = ENABLED
Wed Dec 15 09:10:21 2021 us=583143   persist_local_ip = DISABLED
Wed Dec 15 09:10:21 2021 us=583155   persist_remote_ip = DISABLED
Wed Dec 15 09:10:21 2021 us=583167   persist_key = ENABLED
Wed Dec 15 09:10:21 2021 us=583179   passtos = DISABLED
Wed Dec 15 09:10:21 2021 us=583192   resolve_retry_seconds = 1000000000
Wed Dec 15 09:10:21 2021 us=583204   resolve_in_advance = DISABLED
Wed Dec 15 09:10:21 2021 us=583241   username = 'nobody'
Wed Dec 15 09:10:21 2021 us=583255   groupname = 'nogroup'
Wed Dec 15 09:10:21 2021 us=583267   chroot_dir = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=583280   cd_dir = '/etc/openvpn'
Wed Dec 15 09:10:21 2021 us=583292   writepid = '/run/openvpn/server.pid'
Wed Dec 15 09:10:21 2021 us=583304   up_script = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=583317   down_script = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=583329   down_pre = DISABLED
Wed Dec 15 09:10:21 2021 us=583341   up_restart = DISABLED
Wed Dec 15 09:10:21 2021 us=583354   up_delay = DISABLED
Wed Dec 15 09:10:21 2021 us=583366   daemon = ENABLED
Wed Dec 15 09:10:21 2021 us=583379   inetd = 0
Wed Dec 15 09:10:21 2021 us=583391   log = ENABLED
Wed Dec 15 09:10:21 2021 us=583403   suppress_timestamps = DISABLED
Wed Dec 15 09:10:21 2021 us=583415   machine_readable_output = DISABLED
Wed Dec 15 09:10:21 2021 us=583428   nice = 0
Wed Dec 15 09:10:21 2021 us=583440   verbosity = 4
Wed Dec 15 09:10:21 2021 us=583453   mute = 0
Wed Dec 15 09:10:21 2021 us=583465   gremlin = 0
Wed Dec 15 09:10:21 2021 us=583478   status_file = '/run/openvpn/server.status'
Wed Dec 15 09:10:21 2021 us=583490   status_file_version = 1
Wed Dec 15 09:10:21 2021 us=583503   status_file_update_freq = 10
Wed Dec 15 09:10:21 2021 us=583515   occ = ENABLED
Wed Dec 15 09:10:21 2021 us=583527   rcvbuf = 0
Wed Dec 15 09:10:21 2021 us=583540   sndbuf = 0
Wed Dec 15 09:10:21 2021 us=583552   mark = 0
Wed Dec 15 09:10:21 2021 us=583564   sockflags = 0
Wed Dec 15 09:10:21 2021 us=583577   fast_io = DISABLED
Wed Dec 15 09:10:21 2021 us=583589   comp.alg = 0
Wed Dec 15 09:10:21 2021 us=583602   comp.flags = 0
Wed Dec 15 09:10:21 2021 us=583614   route_script = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=583626   route_default_gateway = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=583639   route_default_metric = 0
Wed Dec 15 09:10:21 2021 us=583651   route_noexec = DISABLED
Wed Dec 15 09:10:21 2021 us=583664   route_delay = 0
Wed Dec 15 09:10:21 2021 us=583676   route_delay_window = 30
Wed Dec 15 09:10:21 2021 us=583688   route_delay_defined = DISABLED
Wed Dec 15 09:10:21 2021 us=583701   route_nopull = DISABLED
Wed Dec 15 09:10:21 2021 us=583713   route_gateway_via_dhcp = DISABLED
Wed Dec 15 09:10:21 2021 us=583725   allow_pull_fqdn = DISABLED
Wed Dec 15 09:10:21 2021 us=583738   route IPADDR/255.255.255.0/default (not set)/default (not set)
Wed Dec 15 09:10:21 2021 us=583751   management_addr = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=583763   management_port = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=583775   management_user_pass = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=583788   management_log_history_cache = 250
Wed Dec 15 09:10:21 2021 us=583800   management_echo_buffer_size = 100
Wed Dec 15 09:10:21 2021 us=583813   management_write_peer_info_file = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=583825   management_client_user = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=583837   management_client_group = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=583850   management_flags = 0
Wed Dec 15 09:10:21 2021 us=583862   shared_secret_file = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=583875   key_direction = not set
Wed Dec 15 09:10:21 2021 us=583888   ciphername = 'AES-256-CBC'
Wed Dec 15 09:10:21 2021 us=583900   ncp_enabled = ENABLED
Wed Dec 15 09:10:21 2021 us=583913   ncp_ciphers = 'AES-256-GCM:AES-128-GCM'
Wed Dec 15 09:10:21 2021 us=583925   authname = 'SHA512'
Wed Dec 15 09:10:21 2021 us=583938   prng_hash = 'SHA1'
Wed Dec 15 09:10:21 2021 us=583950   prng_nonce_secret_len = 16
Wed Dec 15 09:10:21 2021 us=583963   keysize = 0
Wed Dec 15 09:10:21 2021 us=583975   engine = DISABLED
Wed Dec 15 09:10:21 2021 us=583988   replay = ENABLED
Wed Dec 15 09:10:21 2021 us=584000   mute_replay_warnings = DISABLED
Wed Dec 15 09:10:21 2021 us=584013   replay_window = 64
Wed Dec 15 09:10:21 2021 us=584025   replay_time = 15
Wed Dec 15 09:10:21 2021 us=584038   packet_id_file = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=584050   use_iv = ENABLED
Wed Dec 15 09:10:21 2021 us=584063   test_crypto = DISABLED
Wed Dec 15 09:10:21 2021 us=584080   tls_server = ENABLED
Wed Dec 15 09:10:21 2021 us=584093   tls_client = DISABLED
Wed Dec 15 09:10:21 2021 us=584105   key_method = 2
Wed Dec 15 09:10:21 2021 us=584117   ca_file = '/etc/openvpn/server/ca.crt'
Wed Dec 15 09:10:21 2021 us=584129   ca_path = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=584142   dh_file = '/etc/openvpn/server/dh.pem'
Wed Dec 15 09:10:21 2021 us=584154   cert_file = '/etc/openvpn/server/my_server.crt'
Wed Dec 15 09:10:21 2021 us=584167   extra_certs_file = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=584180   priv_key_file = '/etc/openvpn/server/my_server.key'
Wed Dec 15 09:10:21 2021 us=584192   pkcs12_file = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=584205   cipher_list = 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256:TLS-DHE-RSA-WITH-AES-128-GCM-SHA256:TLS-DHE-RSA-WITH-AES-128-CBC-SHA256'
Wed Dec 15 09:10:21 2021 us=584218   cipher_list_tls13 = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=584230   tls_cert_profile = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=584243   tls_verify = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=584255   tls_export_cert = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=584268   verify_x509_type = 0
Wed Dec 15 09:10:21 2021 us=584280   verify_x509_name = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=584292   crl_file = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=584305   ns_cert_type = 0
Wed Dec 15 09:10:21 2021 us=584317   remote_cert_ku[i] = 0
Wed Dec 15 09:10:21 2021 us=584330   remote_cert_ku[i] = 0
Wed Dec 15 09:10:21 2021 us=584342   remote_cert_ku[i] = 0
Wed Dec 15 09:10:21 2021 us=584354   remote_cert_ku[i] = 0
Wed Dec 15 09:10:21 2021 us=584367   remote_cert_ku[i] = 0
Wed Dec 15 09:10:21 2021 us=584379   remote_cert_ku[i] = 0
Wed Dec 15 09:10:21 2021 us=584391   remote_cert_ku[i] = 0
Wed Dec 15 09:10:21 2021 us=584403   remote_cert_ku[i] = 0
Wed Dec 15 09:10:21 2021 us=584416   remote_cert_ku[i] = 0
Wed Dec 15 09:10:21 2021 us=584428   remote_cert_ku[i] = 0
Wed Dec 15 09:10:21 2021 us=584441   remote_cert_ku[i] = 0
Wed Dec 15 09:10:21 2021 us=584453   remote_cert_ku[i] = 0
Wed Dec 15 09:10:21 2021 us=584465   remote_cert_ku[i] = 0
Wed Dec 15 09:10:21 2021 us=584478   remote_cert_ku[i] = 0
Wed Dec 15 09:10:21 2021 us=584490   remote_cert_ku[i] = 0
Wed Dec 15 09:10:21 2021 us=584503   remote_cert_ku[i] = 0
Wed Dec 15 09:10:21 2021 us=584515   remote_cert_eku = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=584527   ssl_flags = 192
Wed Dec 15 09:10:21 2021 us=584540   tls_timeout = 2
Wed Dec 15 09:10:21 2021 us=584562   renegotiate_bytes = -1
Wed Dec 15 09:10:21 2021 us=584576   renegotiate_packets = 0
Wed Dec 15 09:10:21 2021 us=584589   renegotiate_seconds = 3600
Wed Dec 15 09:10:21 2021 us=584602   handshake_window = 60
Wed Dec 15 09:10:21 2021 us=584615   transition_window = 3600
Wed Dec 15 09:10:21 2021 us=584627   single_session = DISABLED
Wed Dec 15 09:10:21 2021 us=584640   push_peer_info = DISABLED
Wed Dec 15 09:10:21 2021 us=584652   tls_exit = DISABLED
Wed Dec 15 09:10:21 2021 us=584664   tls_auth_file = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=584677   tls_crypt_file = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=584689   pkcs11_protected_authentication = DISABLED
Wed Dec 15 09:10:21 2021 us=584702   pkcs11_protected_authentication = DISABLED
Wed Dec 15 09:10:21 2021 us=584714   pkcs11_protected_authentication = DISABLED
Wed Dec 15 09:10:21 2021 us=584726   pkcs11_protected_authentication = DISABLED
Wed Dec 15 09:10:21 2021 us=584739   pkcs11_protected_authentication = DISABLED
Wed Dec 15 09:10:21 2021 us=584751   pkcs11_protected_authentication = DISABLED
Wed Dec 15 09:10:21 2021 us=584766   pkcs11_protected_authentication = DISABLED
Wed Dec 15 09:10:21 2021 us=584779   pkcs11_protected_authentication = DISABLED
Wed Dec 15 09:10:21 2021 us=584791   pkcs11_protected_authentication = DISABLED
Wed Dec 15 09:10:21 2021 us=584804   pkcs11_protected_authentication = DISABLED
Wed Dec 15 09:10:21 2021 us=584816   pkcs11_protected_authentication = DISABLED
Wed Dec 15 09:10:21 2021 us=584828   pkcs11_protected_authentication = DISABLED
Wed Dec 15 09:10:21 2021 us=584846   pkcs11_protected_authentication = DISABLED
Wed Dec 15 09:10:21 2021 us=584859   pkcs11_protected_authentication = DISABLED
Wed Dec 15 09:10:21 2021 us=584871   pkcs11_protected_authentication = DISABLED
Wed Dec 15 09:10:21 2021 us=584883   pkcs11_protected_authentication = DISABLED
Wed Dec 15 09:10:21 2021 us=584896   pkcs11_private_mode = 00000000
Wed Dec 15 09:10:21 2021 us=584908   pkcs11_private_mode = 00000000
Wed Dec 15 09:10:21 2021 us=584921   pkcs11_private_mode = 00000000
Wed Dec 15 09:10:21 2021 us=584933   pkcs11_private_mode = 00000000
Wed Dec 15 09:10:21 2021 us=584945   pkcs11_private_mode = 00000000
Wed Dec 15 09:10:21 2021 us=584958   pkcs11_private_mode = 00000000
Wed Dec 15 09:10:21 2021 us=584970   pkcs11_private_mode = 00000000
Wed Dec 15 09:10:21 2021 us=584982   pkcs11_private_mode = 00000000
Wed Dec 15 09:10:21 2021 us=584995   pkcs11_private_mode = 00000000
Wed Dec 15 09:10:21 2021 us=585008   pkcs11_private_mode = 00000000
Wed Dec 15 09:10:21 2021 us=585020   pkcs11_private_mode = 00000000
Wed Dec 15 09:10:21 2021 us=585032   pkcs11_private_mode = 00000000
Wed Dec 15 09:10:21 2021 us=585044   pkcs11_private_mode = 00000000
Wed Dec 15 09:10:21 2021 us=585057   pkcs11_private_mode = 00000000
Wed Dec 15 09:10:21 2021 us=585069   pkcs11_private_mode = 00000000
Wed Dec 15 09:10:21 2021 us=585082   pkcs11_private_mode = 00000000
Wed Dec 15 09:10:21 2021 us=585094   pkcs11_cert_private = DISABLED
Wed Dec 15 09:10:21 2021 us=585106   pkcs11_cert_private = DISABLED
Wed Dec 15 09:10:21 2021 us=585118   pkcs11_cert_private = DISABLED
Wed Dec 15 09:10:21 2021 us=585131   pkcs11_cert_private = DISABLED
Wed Dec 15 09:10:21 2021 us=585143   pkcs11_cert_private = DISABLED
Wed Dec 15 09:10:21 2021 us=585156   pkcs11_cert_private = DISABLED
Wed Dec 15 09:10:21 2021 us=585168   pkcs11_cert_private = DISABLED
Wed Dec 15 09:10:21 2021 us=585181   pkcs11_cert_private = DISABLED
Wed Dec 15 09:10:21 2021 us=585194   pkcs11_cert_private = DISABLED
Wed Dec 15 09:10:21 2021 us=585268   pkcs11_cert_private = DISABLED
Wed Dec 15 09:10:21 2021 us=585692   pkcs11_cert_private = DISABLED
Wed Dec 15 09:10:21 2021 us=585708   pkcs11_cert_private = DISABLED
Wed Dec 15 09:10:21 2021 us=585721   pkcs11_cert_private = DISABLED
Wed Dec 15 09:10:21 2021 us=585734   pkcs11_cert_private = DISABLED
Wed Dec 15 09:10:21 2021 us=585746   pkcs11_cert_private = DISABLED
Wed Dec 15 09:10:21 2021 us=585759   pkcs11_cert_private = DISABLED
Wed Dec 15 09:10:21 2021 us=585772   pkcs11_pin_cache_period = -1
Wed Dec 15 09:10:21 2021 us=585785   pkcs11_id = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=585798   pkcs11_id_management = DISABLED
Wed Dec 15 09:10:21 2021 us=585811   server_network = IPADDR
Wed Dec 15 09:10:21 2021 us=585825   server_netmask = 255.255.255.0
Wed Dec 15 09:10:21 2021 us=585838   server_network_ipv6 = ::
Wed Dec 15 09:10:21 2021 us=585851   server_netbits_ipv6 = 0
Wed Dec 15 09:10:21 2021 us=585865   server_bridge_ip = 0.0.0.0
Wed Dec 15 09:10:21 2021 us=585878   server_bridge_netmask = 0.0.0.0
Wed Dec 15 09:10:21 2021 us=585891   server_bridge_pool_start = 0.0.0.0
Wed Dec 15 09:10:21 2021 us=585905   server_bridge_pool_end = 0.0.0.0
Wed Dec 15 09:10:21 2021 us=585917   push_entry = 'redirect-gateway def1'
Wed Dec 15 09:10:21 2021 us=585930   push_entry = 'dhcp-option DNS 208.67.222.222'
Wed Dec 15 09:10:21 2021 us=585943   push_entry = 'dhcp-option DNS 208.67.220.220'
Wed Dec 15 09:10:21 2021 us=585955   push_entry = 'route IPADDR'
Wed Dec 15 09:10:21 2021 us=585968   push_entry = 'topology net30'
Wed Dec 15 09:10:21 2021 us=585980   push_entry = 'ping 20'
Wed Dec 15 09:10:21 2021 us=585993   push_entry = 'ping-restart 60'
Wed Dec 15 09:10:21 2021 us=586006   ifconfig_pool_defined = ENABLED
Wed Dec 15 09:10:21 2021 us=586019   ifconfig_pool_start = IPADDR
Wed Dec 15 09:10:21 2021 us=586033   ifconfig_pool_end = IPADDR
Wed Dec 15 09:10:21 2021 us=586046   ifconfig_pool_netmask = 0.0.0.0
Wed Dec 15 09:10:21 2021 us=586059   ifconfig_pool_persist_filename = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=586071   ifconfig_pool_persist_refresh_freq = 600
Wed Dec 15 09:10:21 2021 us=586091   ifconfig_ipv6_pool_defined = DISABLED
Wed Dec 15 09:10:21 2021 us=586104   ifconfig_ipv6_pool_base = ::
Wed Dec 15 09:10:21 2021 us=586117   ifconfig_ipv6_pool_netbits = 0
Wed Dec 15 09:10:21 2021 us=586129   n_bcast_buf = 256
Wed Dec 15 09:10:21 2021 us=586142   tcp_queue_limit = 64
Wed Dec 15 09:10:21 2021 us=586155   real_hash_size = 256
Wed Dec 15 09:10:21 2021 us=586168   virtual_hash_size = 256
Wed Dec 15 09:10:21 2021 us=586181   client_connect_script = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=586193   learn_address_script = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=586206   client_disconnect_script = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=586219   client_config_dir = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=586231   ccd_exclusive = DISABLED
Wed Dec 15 09:10:21 2021 us=586244   tmp_dir = '/tmp'
Wed Dec 15 09:10:21 2021 us=586257   push_ifconfig_defined = DISABLED
Wed Dec 15 09:10:21 2021 us=586270   push_ifconfig_local = 0.0.0.0
Wed Dec 15 09:10:21 2021 us=586284   push_ifconfig_remote_netmask = 0.0.0.0
Wed Dec 15 09:10:21 2021 us=586296   push_ifconfig_ipv6_defined = DISABLED
Wed Dec 15 09:10:21 2021 us=586310   push_ifconfig_ipv6_local = ::/0
Wed Dec 15 09:10:21 2021 us=586323   push_ifconfig_ipv6_remote = ::
Wed Dec 15 09:10:21 2021 us=586335   enable_c2c = DISABLED
Wed Dec 15 09:10:21 2021 us=586348   duplicate_cn = ENABLED
Wed Dec 15 09:10:21 2021 us=586361   cf_max = 0
Wed Dec 15 09:10:21 2021 us=586374   cf_per = 0
Wed Dec 15 09:10:21 2021 us=586387   max_clients = 1024
Wed Dec 15 09:10:21 2021 us=586399   max_routes_per_client = 256
Wed Dec 15 09:10:21 2021 us=586412   auth_user_pass_verify_script = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=586424   auth_user_pass_verify_script_via_file = DISABLED
Wed Dec 15 09:10:21 2021 us=586437   auth_token_generate = DISABLED
Wed Dec 15 09:10:21 2021 us=586450   auth_token_lifetime = 0
Wed Dec 15 09:10:21 2021 us=586462   port_share_host = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=586475   port_share_port = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=586487   client = DISABLED
Wed Dec 15 09:10:21 2021 us=586500   pull = DISABLED
Wed Dec 15 09:10:21 2021 us=586512   auth_user_pass_file = '[UNDEF]'
Wed Dec 15 09:10:21 2021 us=586526 OpenVPN 2.4.7 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 28 2021
Wed Dec 15 09:10:21 2021 us=586546 library versions: OpenSSL 1.1.1d  10 Sep 2019, LZO 2.10
Wed Dec 15 09:10:21 2021 us=602417 Diffie-Hellman initialized with 2048 bit key
Wed Dec 15 09:10:21 2021 us=609641 WARNING: Your certificate has expired!
Wed Dec 15 09:10:21 2021 us=609707 TLS-Auth MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed Dec 15 09:10:21 2021 us=610038 ROUTE_GATEWAY IPADDR/255.255.255.0 IFACE=enp63s0 HWADDR=MACADDR
Wed Dec 15 09:10:21 2021 us=614246 TUN/TAP device tun0 opened
Wed Dec 15 09:10:21 2021 us=624914 TUN/TAP TX queue length set to 100
Wed Dec 15 09:10:21 2021 us=626225 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Wed Dec 15 09:10:21 2021 us=626293 /sbin/ip link set dev tun0 up mtu 1500
Wed Dec 15 09:10:21 2021 us=632994 /sbin/ip addr add dev tun0 local IPADDR peer IPADDR
Wed Dec 15 09:10:21 2021 us=635780 /sbin/ip route add IPADDR/24 via IPADDR
Wed Dec 15 09:10:21 2021 us=637036 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed Dec 15 09:10:21 2021 us=637322 Could not determine IPv4/IPv6 protocol. Using AF_INET
Wed Dec 15 09:10:21 2021 us=637376 Socket Buffers: R=[212992->212992] S=[212992->212992]
Wed Dec 15 09:10:21 2021 us=637426 UDPv4 link local (bound): [AF_INET][undef]:1194
Wed Dec 15 09:10:21 2021 us=637467 UDPv4 link remote: [AF_UNSPEC]
Wed Dec 15 09:10:21 2021 us=637510 GID set to nogroup
Wed Dec 15 09:10:21 2021 us=637573 UID set to nobody
Wed Dec 15 09:10:21 2021 us=637621 MULTI: multi_init called, r=256 v=256
Wed Dec 15 09:10:21 2021 us=637678 IFCONFIG POOL: base=10.8.0.4 size=62, ipv6=0
Wed Dec 15 09:10:21 2021 us=638495 Initialization Sequence Completed

Wed Dec 15 09:15:31 2021 us=662347 MULTI: multi_create_instance called
Wed Dec 15 09:15:31 2021 us=662515 IPADDR:53367 Re-using SSL/TLS context
Wed Dec 15 09:15:31 2021 us=662690 IPADDR:53367 Control Channel MTU parms [ L:1621 D:1212 EF:38 EB:0 ET:0 EL:3 ]
Wed Dec 15 09:15:31 2021 us=662722 IPADDR:53367 Data Channel MTU parms [ L:1621 D:1450 EF:121 EB:406 ET:0 EL:3 ]
Wed Dec 15 09:15:31 2021 us=662776 IPADDR:53367 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-server'
Wed Dec 15 09:15:31 2021 us=662798 91.86.42.88:53367 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1601,tun-mtu 1500,proto UDPv4,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client'
Wed Dec 15 09:15:31 2021 us=662839 91.86.42.88:53367 TLS: Initial packet from [AF_INET]IPADDR:53367, sid=4976be12 aa4f145a

[wisbit]

another point that I can mention is that the validity dates mentioned in these 2
- /etc/openvpn/server/myserver.crt opened in a text editor
- result of the command

Code: Select all

openssl x509 -noout -text -in /etc/openvpn/server/myserver.crt

are different.
The result of the command shows a cert which validity date is expired, but when opening the file in a text editor, it shows 2022.

[wisbit]

OK i resintalled openvopn, recreated ca, keys and all certs.
no more warnings on certificates expired, but still.
Server has Initiation Sequence COmplete, but when trying to connect to it with a newly generated ovpn file, I get the exact same error.

Code: Select all

Error message:
OpenSSLContext::SSL::read_cleartext:
BIO_read failed, cap=2576 status=-1: error:1416F086:SSL
routines:tls_process_server_certificate:certificate verify failed

[openvpn_inc]

Hi wis,

If you are using an expired certificate, openvpn has no workaround for that. I think every log you posted here says the certificate is expired. Once the CA certificate has expired, your entire PKI is expired. They will never again be able to validate. "Beautiful bird, the Norwegian Blue! Lovely plumage!"

TLS key and CSR generation, and certificate signing by a CA, is all done externally to openvpn. It looks like your script is a frontend to easy-rsa, which itself is a frontend to openssl(1) commands.

Looks like you might need to generate a new, valid TLS CA, and then all new server and client certificates. (You can possibly reuse the private keys, but it might be simpler in easyrsa to just replace those also.)

hth, regards, rob0

[wisbit]

Better late than never, thanks a lot for this answer !
That helped.