AWS certification issue

Post Reply
puneet
OpenVpn Newbie
Posts: 9
Joined: Wed May 30, 2018 11:00 pm

AWS certification issue

Post by puneet » Thu Jun 28, 2018 2:39 am

I have deployed openvpn server from AWS marketplace. After configuring the server I created an AMI of that instance.
When I deploy new instances from that AMI (multiple of them) my .conf (downloaded from "master" instance) works on some new instances but throw error on others!
AUTH: Received control message: AUTH_FAILED,REVOKED: client certificate has been revoked
How can I fix this?

PS: I have to autologin during/right-after bootup , I can use less secure method like just username/password and no certificate but all information have to be in .conf file as user can't provide any input.

puneet
OpenVpn Newbie
Posts: 9
Joined: Wed May 30, 2018 11:00 pm

Re: AWS certification issue

Post by puneet » Thu Jun 28, 2018 2:51 am

I'm not sure if it's related but is their a server setting where I can flag certificate to not expire/change?

There are a lot of certificates in my .conf file, most of them are same between two AWS instances.
3 sections that are changing:
# Extra user-defined configuration
cipher AES-128-CBC
## -----BEGIN RSA SIGNATURE-----
## DIGEST:sha256
<cert>
-----BEGIN CERTIFICATE-----
<key>
-----BEGIN PRIVATE KEY-----

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 4880
Joined: Fri Jun 03, 2016 1:17 pm

Re: AWS certification issue

Post by TinCanTech » Thu Jun 28, 2018 11:01 am


puneet
OpenVpn Newbie
Posts: 9
Joined: Wed May 30, 2018 11:00 pm

Re: AWS certification issue

Post by puneet » Fri Jun 29, 2018 1:34 am

* Server *

Operating system:

Code: Select all

NAME="Ubuntu"
VERSION="16.04.4 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.4 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
Network setup:

Code: Select all

openvpnas@openvpnas2:~$ ifconfig
as0t0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:172.14.224.1  P-t-P:172.14.224.1  Mask:255.255.240.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:200 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr 02:2b:c5:24:34:48  
          inet addr:172.15.110.100  Bcast:172.15.110.255  Mask:255.255.255.0
          inet6 addr: fe80::2b:c5ff:fe24:3448/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:9001  Metric:1
          RX packets:22531 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12064 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:27631153 (27.6 MB)  TX bytes:1030223 (1.0 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:169 errors:0 dropped:0 overruns:0 frame:0
          TX packets:169 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:12814 (12.8 KB)  TX bytes:12814 (12.8 KB)

pr0       Link encap:Ethernet  HWaddr d6:31:75:3e:90:ee  
          inet6 addr: fe80::d431:75ff:fe3e:90ee/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:648 (648.0 B)
Server config file:
as.conf

Code: Select all

# OpenVPN AS 1.1 configuration file
#
# NOTE:  The ~ symbol used below expands to the directory that
# the configuration file is saved in

# remove for production
# DEBUG=false

# enable AS Connect functionality
AS_CONNECT=true

# temporary directory
tmp_dir=~/tmp

lic.dir=~/licenses

# run_start retries
run_start_retry.give_up=60
run_start_retry.resample=10

# enable client gateway
sa.show_c2s_routes=true

# certificates database
certs_db=sqlite:///~/db/certs.db

# user properties DB
user_prop_db=sqlite:///~/db/userprop.db

# configuration DB
config_db=sqlite:///~/db/config.db

# log DB
log_db=sqlite:///~/db/log.db

# wait this many seconds between failed retries
db_retry.interval=1

# how many retries to attempt before failing
db_retry.n_attempts=6

# On startup, wait up to n seconds for DB files to become
# available if they do not yet exist.  This is generally
# only useful on secondary nodes used for standby purposes.
# db_startup_wait=

# Node type: PRIMARY|SECONDARY.  Defaults to PRIMARY.
# node_type=

# bootstrap authentication via PAM -- allows
# admin to log into web UI before authentication
# system has been configured.  Configure PAM users
# allowed to access via the bootstrap auth mechanism.
boot_pam_service=openvpnas
boot_pam_users.0=openvpn
# boot_pam_users.1=
# boot_pam_users.2=
# boot_pam_users.3=
# boot_pam_users.4=

# System users that are allowed to access the server agent XML API.
# The user that the web server will run as should be in this list.
system_users_local.0=root
system_users_local.1=openvpn_as
# The user/group that the web server will run as
cs.user=openvpn_as
cs.group=openvpn_as

# socket directory
general.sock_dir=~/sock

# path to linux openvpn executable
# if undefined, find openvpn on the PATH
#general.openvpn_exe_path=

# source directory for OpenVPN Windows executable
# (Must have been built with MultiFileExtract)
sa.win_exe_dir=~/exe

# The company name will be shown in the UI
sa.company_name=OpenVPN, Inc.

# server agent socket
sa.sock=~/sock/sagent

# If enabled, automatically generate a client configuration
# when a client logs into the site and successfully authenticates
cs.auto_generate=true

# files for web server (PEM format)
cs.ca_bundle=~/web-ssl/ca.crt
cs.priv_key=~/web-ssl/server.key
cs.cert=~/web-ssl/server.crt

# web server will use three consecutive ports starting at this
# address, for use with the OpenVPN port share feature
cs.dynamic_port_base=870

# which service groups should be started during
# server agent initialization
sa.initial_run_groups.0=web_group
#sa.initial_run_groups.1=openvpn_group

# use this twisted reactor
sa.reactor=epoll

# The unit number of this particular AS configuration.
# Normally set to 0.  If you have multiple, independent AS instances
# running on the same machine, each should have a unique unit number.
sa.unit=0

# If true, open up web ports on the firewall using iptables
iptables.web=true

vpn.server.user=openvpn_as
vpn.server.group=openvpn_as

* Client *

Operating system:

Code: Select all

NAME="Ubuntu"
VERSION="18.04 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
Network setup:

Code: Select all

ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.110.100  netmask 255.255.0.0  broadcast 192.168.255.255
        inet6 fe80::250:56ff:fe88:d378  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:88:d3:78  txqueuelen 1000  (Ethernet)
        RX packets 58449  bytes 4464306 (4.4 MB)
        RX errors 0  dropped 126  overruns 0  frame 0
        TX packets 42628  bytes 5094829 (5.0 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
Client config file:

Code: Select all

# Automatically generated OpenVPN client config file
# Generated on Fri Jun 15 18:04:23 2018 by openvpnas2
# Note: this config file contains inline private keys
#       and therefore should be kept confidential!
# Note: this configuration is user-locked to the username below
# OVPN_ACCESS_SERVER_USERNAME=hol-admin
# Define the profile name of this particular configuration file
# OVPN_ACCESS_SERVER_PROFILE=hol-admin@awsvpnserver.corp.local/AUTOLOGIN
# OVPN_ACCESS_SERVER_AUTOLOGIN=1
# OVPN_ACCESS_SERVER_CLI_PREF_ALLOW_WEB_IMPORT=True
# OVPN_ACCESS_SERVER_CLI_PREF_BASIC_CLIENT=False
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_CONNECT=True
# OVPN_ACCESS_SERVER_CLI_PREF_ENABLE_XD_PROXY=True
# OVPN_ACCESS_SERVER_WSHOST=awsvpnserver.corp.local:80
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_START
# -----BEGIN CERTIFICATE-----
# MIIDBjCCAe6gAwIBAgIEWwCgSzANBgkqhkiG9w0BAQsFADA8MTowOAYDVQQDDDFP
# cGVuVlBOIFdlYiBDQSAyMDE4LjA1LjE5IDIyOjA4OjExIFVUQyBvcGVudnBuYXMy
# MB4XDTE4MDUxMjIyMDgxMVoXDTI4MDUxNjIyMDgxMVowPDE6MDgGA1UEAwwxT3Bl
# blZQTiBXZWIgQ0EgMjAxOC4wNS4xOSAyMjowODoxMSBVVEMgb3BlbnZwbmFzMjCC
# ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFtiINz+TIettBz4ZUboy0M
# wU+Gt9D+pjbwFsQYYTf1SlxKVtFmJzAwOeOhZ2I3MegYf9v/kkdAIdrQBzLzYQPc
# SW5D3QxZFNOVlwgbt+b9zoyXzL6ZwL8Azg3AM9I0TIMsLgkRFvSswiRu0hM2oVP+
# mL7ID/HWWaLRKGVApOoNdiIrPEXtGyn1SxPstQ0L7YJrhHJnJcAGnpRSrDxwAQ4u
# IMw6FdUErQSpp5WzvGaTjlDqOz6V3kYT3i4XTnEhWXuwT4urRHJPjyqwlTK5xIl1
# JhuPwGNojrpoSi/qFiZcSiC3PcIrccLtgw7wGzuCAHpRX6vq+CI0lAFEptITi3cC
# AwEAAaMQMA4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAPFakhXxJ
# oiIYtuzmLtCJ9iLyt7dAoJ/ygKsLMa4YHB13YWkQEU8hpzclN4CUuNfkKMwwgvSr
# ixKzP7ePR/fQEPWKjVGgb3QUdq1qjWY0nCMzl4kGkIPztAk7C+qylaRf0eSexL5d
# 6UEvkDkjZusn0+21FhhorB2I7nVnETSxnFtykYKr15HJkUN+gJfnuoNnqn6TBMx2
# /+KHBaDpBNNrqJeTIMqRA+0PMMrKCEwW8U3V7vN95pN7wJUMqe3OfrthOI1rJeQd
# dfbfLFzKGiqCEhRBXrZnByTitvp9ReswncEmzhdQ88DmR9GyPrmzpjJJ4v02NFaB
# lb/hypNGWYtJYQ==
# -----END CERTIFICATE-----
# OVPN_ACCESS_SERVER_WEB_CA_BUNDLE_STOP
# OVPN_ACCESS_SERVER_IS_OPENVPN_WEB_CA=1
# OVPN_ACCESS_SERVER_ORGANIZATION=OpenVPN, Inc.
setenv FORWARD_COMPATIBLE 1
client
proto tcp
remote awsvpnserver.corp.local
port 80
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
connect-retry 13 [max]
keepalive 20 60

##auth-user-pass pass.txt 
## Tried auth user pass command but that throws following erroe:
## AUTH: Received control message: AUTH_FAILED,REVOKED: client certificate has been revoked

# NOTE: LZO commands are pushed by the Access Server at connect time.
# NOTE: The below line doesn't disable LZO.
comp-lzo no
verb 3
setenv PUSH_PEER_INFO

Post Reply