[solved] Can't activate license key because https://licensing.openvpn.net uses a self signed certificate

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
Mave
OpenVpn Newbie
Posts: 2
Joined: Fri Mar 22, 2019 9:49 am

[solved] Can't activate license key because https://licensing.openvpn.net uses a self signed certificate

Post by Mave » Fri Mar 22, 2019 9:55 am

Hi guys. I've bought a license, but I'm unable to activate. The error in the web admin interface:

Code: Select all

Error: LicenseActivate: <Fault 9000: "OpenSSL.SSL.Error: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')]">
Error: <bound method AdminLicensing.chain_get_license_info of <pyovpn.admin.licconf.AdminLicensing object at 0x7fefe36263d0>>: ('Could not adapt', '', <InterfaceClass nevow.inevow.ISession>)
The certificate I'm using for the VPN is valid. It accepts everything, people can connect, it's working like a charm. It's just the SSL connection/verification to the OpenVPN licensing server which refuses to work. It's not the firewall, because there's no outgoing rules whatsoever.

Command line:

Code: Select all

/usr/local/openvpn_as/scripts/liman activate "MY-KEY-HERE"
gives:

Code: Select all

OpenSSL web ciphersuites: DEFAULT:!EXP:!PSK:!SRP:!LOW:!RC4
OpenSSL Error: <depth=1 err=X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain subj=<X509Name object '/CN=OpenVPN Licensing'>>
ERROR: [('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')] (OpenSSL.SSL.Error)

Which makes perfect sense, because when you browse to https://licensing.openvpn.net it throws a warning, saying that certificate is self-signed. Sure, I can activate offline, but why does that public facing webserver leverage an invalid self-signed certificate?
Last edited by Mave on Fri Mar 22, 2019 10:44 am, edited 1 time in total.
Top
User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: Can't activate license key because https://licensing.openvpn.net uses a self signed certificate

Post by novaflash » Fri Mar 22, 2019 10:05 am

That's completely normal. We use self-signed certificates on purpose.

The problem is that your Access server is out of date. Please see also the banner at the top of the openvpn.net website. It goes to this URL which explains the situation:
https://openvpn.net/security-advisories/
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
Top
User avatar
novaflash
OpenVPN Inc.
Posts: 1073
Joined: Fri Apr 13, 2012 8:43 pm

Re: Can't activate license key because https://licensing.openvpn.net uses a self signed certificate

Post by novaflash » Fri Mar 22, 2019 10:06 am

Note that there is also a very slight chance (but unlikely) that your connection to the activation server is being intercepted by a firewall or security product and replacing the certs presented to the access server by its own to try and redirect/capture your traffic. In that case you may have to create some exception in your firewall/security product.
I'm still alive, just posting under the openvpn_inc alias now as part of a larger group.
Top
Mave
OpenVpn Newbie
Posts: 2
Joined: Fri Mar 22, 2019 9:49 am

Re: Can't activate license key because https://licensing.openvpn.net uses a self signed certificate

Post by Mave » Fri Mar 22, 2019 10:44 am

novaflash wrote:
Fri Mar 22, 2019 10:05 am
 That's completely normal. We use self-signed certificates on purpose.

The problem is that your Access server is out of date. Please see also the banner at the top of the openvpn.net website. It goes to this URL which explains the situation:
https://openvpn.net/security-advisories/
Ah yep, that would be it. Thanks much for your help. I've installed the Licensing Patch for our other servers, as they had existing license keys. Thanks!
Top
Post Reply

Return to “The OpenVPN Access Server”