Certificate expired on 2nd client

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
big_D
OpenVpn Newbie
Posts: 8
Joined: Thu Apr 13, 2017 8:14 am

Certificate expired on 2nd client

Post by big_D » Thu Apr 13, 2017 8:36 am

I have a curious problem. I have installed OpenVPN on a pfSense firewall and everything is confiured fine.

The CA expires in 2027
Server cert expires in 2027
Client cert expires in 2027

I installed OpenVPN on my main notebook to test and it connects fine.
I installed OpenVPN on my 2nd notebook and it says that the certificate has expired!

No matter what I do, I don't come any further. I have de-installed and re-installed the client on both PCs, I have deleted the certificates out of the Windows Cert Store and I deleted the config files. Re-installed, same results. I then deleted the OpenVPN server and re-created it, then the users, then exported the set-up file and re-installed on the clients. Same results.

I also created a second user, it installed and worked on the users main PC, their 2nd PC complained that the certificate had expired!

Interestingly, I exported the Android confiugration and it works fine there.

Here is the connection log from my 2nd PC:

Code: Select all

Sun Apr 09 11:43:54 2017 Warning: cryptapicert used, setting maximum TLS version to 1.1.
Sun Apr 09 11:43:54 2017 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 27 2016
Sun Apr 09 11:43:54 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Apr 09 11:43:54 2017 library versions: OpenSSL 1.0.2i  22 Sep 2016, LZO 2.09
Sun Apr 09 11:44:02 2017 [b]WARNING: Your certificate has expired![/b]
Sun Apr 09 11:44:02 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]1.1.1.1:1194
Sun Apr 09 11:44:02 2017 UDP link local (bound): [AF_INET][undef]:1194
Sun Apr 09 11:44:02 2017 UDP link remote: [AF_INET]1.1.1.1:1194
Sun Apr 09 11:44:02 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
and here from the 1st PC, that works.

Code: Select all

Sun Apr 09 11:51:23 2017 Warning: cryptapicert used, setting maximum TLS version to 1.1.
Sun Apr 09 11:51:23 2017 OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Dec 27 2016
Sun Apr 09 11:51:23 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Sun Apr 09 11:51:23 2017 library versions: OpenSSL 1.0.2i  22 Sep 2016, LZO 2.09
Sun Apr 09 11:51:28 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]1.1.1.1:1194
Sun Apr 09 11:51:28 2017 UDP link local (bound): [AF_INET][undef]:1194
Sun Apr 09 11:51:28 2017 UDP link remote: [AF_INET]1.1.1.1:1194
Sun Apr 09 11:51:28 2017 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Apr 09 11:51:28 2017 [185.74.183.149] Peer Connection Initiated with [AF_INET]1.1.1.1:1194
Sun Apr 09 11:51:29 2017 open_tun
Sun Apr 09 11:51:29 2017 TAP-WIN32 device [Ethernet 3] opened: \\.\Global\{E92DAAAC-573A-4856-B177-DFDD460C6471}.tap
Sun Apr 09 11:51:29 2017 Set TAP-Windows TUN subnet mode network/local/netmask = 192.168.57.0/192.168.57.2/255.255.255.0 [SUCCEEDED]
Sun Apr 09 11:51:29 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.57.2/255.255.255.0 on interface {E92DAAAC-573A-4856-B177-DFDD460C6471} [DHCP-serv: 192.168.57.254, lease-time: 31536000]
Sun Apr 09 11:51:29 2017 Successful ARP Flush on interface [9] {E92DAAAC-573A-4856-B177-DFDD460C6471}
Sun Apr 09 11:51:29 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
(I have anonymized the IP address of the server)

I tried updating to the latest Windows client and I then got the following erro on the 2nd PCr:

Code: Select all

error -ns-cert is depricated use -remote-cert-tls instead
I added the option to the config file and I am back to just the original error of an expired certificate.

I have checked the time and location settings, all PCs and server are in the same time zone and show the same time.
The PCs are connecting 1 at a time, so it isn't a spurious error message, that 2 PCs are signing on with the same certificate and user at the same time - in fact, the server is configured to allow multiple simultaneous connection from the same user.

PCs are as follows:
PC 1 - Fujitsu Lifebook A556, Windows 7 SP1 / Windows 10 Pro 1703
PC 2 - HP Spectre x360, Windows 10 1703

And for the second user:
PC 1 - Lenovo IdeaPad Y70 - Windows 10 Pro 1607
PC 2 - MS Surface Pro 3 - Windows 10 Pro 1607

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate expired on 2nd client

Post by TinCanTech » Thu Apr 13, 2017 11:18 am

Either the certificate has expired or the date on your machine is incorrect.

big_D
OpenVpn Newbie
Posts: 8
Joined: Thu Apr 13, 2017 8:14 am

Re: Certificate expired on 2nd client

Post by big_D » Thu Apr 13, 2017 12:04 pm

Date and time on both PCs is identical, as is UTC offset (NTP set).
Certificate is set to exire on 13.04.2027, so it has 10 years left to run.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate expired on 2nd client

Post by TinCanTech » Thu Apr 13, 2017 12:40 pm

big_D wrote:Certificate is set to exire on 13.04.2027, so it has 10 years left to run
big_D wrote:Sun Apr 09 11:44:02 2017 WARNING: Your certificate has expired!
The certificate is not valid before 13.04.2017 .. or more likely 15.04.2017 due to leap years.

big_D
OpenVpn Newbie
Posts: 8
Joined: Thu Apr 13, 2017 8:14 am

Re: Certificate expired on 2nd client

Post by big_D » Thu Apr 13, 2017 12:54 pm

Sorry for the confusion.

The log is from 09.04.2017 and the certificate for that was issued on 06.02.2017 and was valid until 06.02.2027.

The current certificate was generated today, when I deleted the OpenVPN server and users and generated new certificates just to eliminate the old certificates as being the problem.

User avatar
Pippin
Forum Team
Posts: 1201
Joined: Wed Jul 01, 2015 8:03 am
Location: irc://irc.libera.chat:6697/openvpn

Re: Certificate expired on 2nd client

Post by Pippin » Thu Apr 13, 2017 8:03 pm

Can you try to only download the config (without installer) from the pfSense GUI and install OpenVPN 2.3.14 (old stable) -- released on 2016.12.07?

big_D
OpenVpn Newbie
Posts: 8
Joined: Thu Apr 13, 2017 8:14 am

Re: Certificate expired on 2nd client

Post by big_D » Tue Apr 18, 2017 6:02 am

De-installed OpenVPN, deleted config, deleted key.

Downloaded config file, installed OpenVPN 2.3.14, copied config file into folder.

Certificate valid until April 2027.

OpenVPN reported that the certificate had expired.

Installed certificate in Windows certificate manager.

OpenVPN reported that the certificate had expired.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate expired on 2nd client

Post by TinCanTech » Tue Apr 18, 2017 12:54 pm

Can you post the full certificate file ?

big_D
OpenVpn Newbie
Posts: 8
Joined: Thu Apr 13, 2017 8:14 am

Re: Certificate expired on 2nd client

Post by big_D » Thu Apr 20, 2017 10:06 am

Update: I had a brainwave last night...

The notebook that doesn't work is private, therefore it has a different username to the company notebook... I tried adding a new account with the same name and voilá, OpenVPN stopped saying the certificate has expired...

So, it has nothing to do with the certificate file or the configuration, but it seems to be a "bad" error message, when the local account name isn't the same as the account name used to log onto the corporate network...

So, wrong error message and checking in the wrong place? With OpenVPN, I am connecting from a PC to the server using credentials that are valid on the network, so it shouldn't, IMHO, have anything to do with the local username... The OpenVPN username and password are correct and correspond to the certificate.

I haven't had time to test this further - after changing to a user account on the PC with the same name, the error disappeared, but it still didn't connect, I am now looking into that. But it still doesn't solve the initial problem. Is this expected behaviour? It seems a bit odd, plus Android doesn't have this problem - I am "logged" on to that with my GMail account, not my corporate account...

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: Certificate expired on 2nd client

Post by TiTex » Thu Apr 20, 2017 4:05 pm

So, it has nothing to do with the certificate file or the configuration, but it seems to be a "bad" error message, when the local account name isn't the same as the account name used to log onto the corporate network...
i don't understand what that has to do with anything , i'm using openvpn profiles for 4-5 different places with different username/passwords then the account i'm logged in on my laptop.

big_D
OpenVpn Newbie
Posts: 8
Joined: Thu Apr 13, 2017 8:14 am

Re: Certificate expired on 2nd client

Post by big_D » Fri Apr 21, 2017 6:25 am

I can only give information as it appears. Using a normal local account with a name differen to the domain account, the certificate is "expired". Using an account with the same name as the domain account, the certificate is not expired...

big_D
OpenVpn Newbie
Posts: 8
Joined: Thu Apr 13, 2017 8:14 am

[SOLVED] Re: Certificate expired on 2nd client

Post by big_D » Fri Apr 21, 2017 8:20 am

Problem solved / workaround...

I had been using the setting to store the key in the Windows Certificate Manager, instead of local files.

This seems to work on PCs where the local user is in the domain, but not when the user is logged on with a local account. I changed the settings in the package manager on the pfSense to just use local files and et voilá it connected first time!

So there seems to be some problem with the way that the Windows Certificate Manager and OpenVPN are interacting, when local account name doesn't match the VPN login (we use RADIUS on the pfSense to authenticate users).

Once the name matches, the error about the exired certifivate goes away, but it still can't connect (server log says that the key was not transmitted / "TLS Error: cannot locate HMAC in incoming packet from [AF_INET]").

Once OpenVPN is configured to use local certificate files, instead of the Windows Certificate Manager, there are no errors and OpenVPN can connect without problem.

Not 100% ideal, but at least we can move forward with implementing pfSense now.

TiTex
OpenVPN Super User
Posts: 310
Joined: Tue Apr 12, 2011 6:22 am

Re: Certificate expired on 2nd client

Post by TiTex » Fri Apr 21, 2017 3:56 pm

i have to admit , i never used openvpn with windows certificate store ... maybe it's a bug

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate expired on 2nd client

Post by TinCanTech » Fri Apr 21, 2017 10:45 pm

Try using a fully Inline client config file and take Windows Certificate out of the equation.

big_D
OpenVpn Newbie
Posts: 8
Joined: Thu Apr 13, 2017 8:14 am

Re: Certificate expired on 2nd client

Post by big_D » Sat Apr 22, 2017 7:54 am

That is what I have done and that works.

I am also thinking that this is some sort of bug.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Certificate expired on 2nd client

Post by TinCanTech » Sat Apr 22, 2017 1:53 pm

big_D wrote:This seems to work on PCs where the local user is in the domain, but not when the user is logged on with a local account
I think you should look more closely at this ..

I do not think this is a bug .. but if it is a bug it is a bug with windows.

Post Reply