Can't connect to Synology NAS after SSL certificate expiry

[gazm2k5]

I am trying to use my android phone to connect to my Synology NAS.

When I first set it up, it worked, but the certificate expired and now it won't connect.

Here is the log from android:

Code: Select all

15:15:12.926 -- ----- OpenVPN Start -----

15:15:12.927 -- EVENT: CORE_THREAD_ACTIVE

15:15:12.939 -- OpenVPN core 3.git:released:662eae9a:Release android arm64 64-bit PT_PROXY

15:15:12.939 -- Frame=512/2048/512 mssfix-ctrl=1250

15:15:12.940 -- UNUSED OPTIONS
1 [tls-client] 
3 [pull] 
5 [script-security] [2] 

15:15:12.941 -- EVENT: RESOLVE

15:15:12.945 -- Contacting [REMOVED MY IP]:[REMOVED MY PORT] via UDP

15:15:12.946 -- EVENT: WAIT

15:15:12.950 -- Connecting to [REMOVED MY CUSTOM DOMAIN]:[REMOVED MY PORT] ([REMOVED MY IP]) via UDPv4

15:15:13.046 -- EVENT: CONNECTING

15:15:13.048 -- Tunnel Options:V4,dev-type tun,link-mtu 1602,tun-mtu 1500,proto UDPv4,comp-lzo,cipher AES-256-CBC,auth SHA512,keysize 256,key-method 2,tls-client

15:15:13.051 -- Creds: Username/Password

15:15:13.052 -- Peer Info:
IV_VER=3.git:released:662eae9a:Release
IV_PLAT=android
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO_STUB=1
IV_COMP_STUB=1
IV_COMP_STUBv2=1
IV_GUI_VER=net.openvpn.connect.android_3.2.4-5891
IV_SSO=openurl


15:15:13.981 -- VERIFY OK: depth=1, /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

15:15:13.993 -- VERIFY FAIL: depth=0, /CN=nysche.synology.me [certificate has expired]

15:15:14.009 -- Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

15:15:14.012 -- EVENT: CERT_VERIFY_FAIL info='OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed'

15:15:14.024 -- EVENT: DISCONNECTED

15:15:14.025 -- Tunnel bytes per CPU second: 0

15:15:14.026 -- ----- OpenVPN Stop -----

The problem here seems to be that it's trying to use the nysche.synology.me certificate, which is not only expired but I have removed it from my Synology NAS and replaced it with a fresh one. I was never using nysche.synology.me with OpenVPN to connect to my nas, I was using my own custom domain which I have set up to point to my home IP address.

So why is OpenVPN trying to use nysche.synology.me? I don't know where it got this from.

Note: I have removed my IP and port/domain from the logs.

[TinCanTech]

I am trying to use my android phone to connect to my Synology NAS

The problem is the server not Android.

15:15:13.993 -- VERIFY FAIL: depth=0, /CN=nysche.synology.me [certificate has expired]

15:15:14.009 -- Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

The problem here seems to be that it's trying to use the nysche.synology.me certificate, which is not only expired but I have removed it from my Synology NAS and replaced it with a fresh one

Not so.

[gazm2k5]

15:15:13.993 -- VERIFY FAIL: depth=0, /CN=nysche.synology.me [certificate has expired]

15:15:14.009 -- Transport Error: OpenSSLContext::SSL::read_cleartext: BIO_read failed, cap=2576 status=-1: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

The problem here seems to be that it's trying to use the nysche.synology.me certificate, which is not only expired but I have removed it from my Synology NAS and replaced it with a fresh one

Not so.

https://imgur.com/xt3i8PZ
I have removed it from the list of certifiates. Everything I've blurred out here is my new custom domain (which points to my home IP). Not sure where else the old details might be lingering.

[Pippin]

Did you restart the VPN Server package?
Did you re-export the client config?

[gazm2k5]

Did you restart the VPN Server package?
Did you re-export the client config?

I have restarted the VPN server package and re exported the client. It still gives the same reference to that old CNAME that I never used.

I also have a problem in the OpenVPN app where when I click on a profile to connect, it asks me to select a certificate. If I add one, it says "certificate added" but then it takes me back to a screen that says there are no certificates. Instead I have to select "Continue" without selecting a certificate. This used to work but now is giving that error, not sure if this is an issue.